[Buildroot] [RFC v9 05/10] toolchain/toolchain-ext: glibc cpe-info support

Thomas Petazzoni thomas.petazzoni at bootlin.com
Thu Jun 25 11:09:06 UTC 2020

On Tue, 16 Jun 2020 12:03:36 -0500
Matt Weber <matthew.weber at rockwellcollins.com> wrote:

>  $(1)-cpe-info: PKG=$(2)
> +$(1)-cpe-info: toolchain
> +endif
>  $(1)-cpe-info:
>  ifeq ($$($(2)_TYPE),target)
> +ifneq ($$($(2)_NAME),toolchain-external)
> +ifneq ($(findstring TOOLCHAIN_EXTERNAL, $(2)),)
> +	$$(eval $(2)_VERSION = $$(shell $$(call TOOLCHAIN_CPE_INFO)))
> +	$$(eval $(2)_CPE_ID_VENDOR = gnu)
> +	$$(eval $(2)_CPE_ID_NAME = glibc)
> +	$$(eval $(2)_ACTUAL_SOURCE_SITE = https://github.com/bminor/glibc/releases)
> +	$$(eval $(2)_RAWNAME = glibc)

It is absolutely atrocious to have this stuff directly in the middle of
pkg-generic.mk, and even further only within the $(1)-cpe-info target.

Why isn't this been done inside the external toolchain package itself,
or the external toolchain package infrastructure ?

I think this specific issue of having proper tracking of the target
elements (C library, gcc runtime) of the toolchain is global, and not
just for CPE/CVE tracking: we already do not properly track this in
terms of legal-info for example.

So rather than this one-off hack that solves just the specific case of
CPE tracking for glibc in external toolchains, we need a more global

Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering

More information about the buildroot mailing list