It feels like only yesterday when we reviewed what we did in 2021, and suddenly 2022 is over too! This was a busy year for everyone and obviously we didn’t feel the time passing by. However, we can try to remember what we did and admit that all this indeed took time!
The main achievement was the release in May of version 4.0 (aka Kirkstone), our second LTS (Long Term Support) release. The project is committed to supporting it for at least two years, and at the same time continues to support its first LTS (3.1, aka Dunfell) for two more years (until Apr. 2024). In this way developers have plenty of time to switch from one LTS to the next. It is an interesting experiment for the project to see how much effort will be required to: support one LTS release for 4 years, maintain another LTS (Kirkstone), produce the current stable release, and prepare for the next release, all at the same time!
The project was pleased to announce 100% binary reproducibility of the project’s core components with this feature being enabled by default in all builds. The project also added SPDX Software Bill of Materials (SBoM) generation, and now has automated tooling around CVE analysis. These features mean systems built with the project have clearly identified components and can be rebuilt or changed as needed should the need arise for security updates, or any other reason, in the future.
Here is a curated selection of noteworthy technical changes found in the releases we made in 2022:
- Release 4.0 (Kirkstone) included Rust and SPDX 2.2 SBoM generation support. These features were already present in version 3.4 (October 2021), but continued to mature in 2022. Rust improves software development efficiency while providing enhanced memory management. SPDX facilitates management of open source licenses and security vulnerability assessment.
- Release 4.0 was also the first LTS with our new override syntax, introduced in 3.4. The new syntax helps engineers by clearly distinguishing override labels from variable names.
- CVE checking improvements, in particular to export the report in JSON format. These improvements facilitate keeping distributions up to date with security fixes.
- License names in recipes must now be standard SPDX license identifiers. The standardization of license names facilitates management of open source licenses.
- Binary reproducibility is now standard as well as network access is now disabled by default (in all tasks except do_fetch), relieving developers from explicitly enabling/disabling them. The new defaults improve build consistency from the beginning of a new project.
There was also news on the documentation front. In particular, coverage for a few topics was expanded:
- Brand new SPDX SBoM generation documentation.
- Improved documentation of CVE management.
- Release notes are now part of the documentation, not just in plain text but in all the formats supported by Sphinx. In particular, this makes it possible to refer to a particular section of the release notes. These new release notes are found next to the release migration notes link, starting from version 3.4 (Honister) on.
Conferences and summits
We organized two successful virtual Yocto Project Summits in 2022.
The first one was in May, offering a mix of hands-on sessions, technical presentations and product showcases, followed by informal “Social Hour” time to chill out with speakers and other participants. 21 videos were recorded and slides are available on elinux.org. 273 unique participants attended this event.
The Yocto Project got back to in-person events for the first time by having 5 talks at the Embedded Linux Conference in Austin in June.
The Yocto Project also had a big presence at the Embedded Linux Conference Europe in Dublin in September, including 5 sessions and a booth which was donated by Arm. This booth was busy at all times! This event allowed many friends of the project to reunite at last for the first time in 3 years.
The Yocto Project has been working with SPDX, another Linux Foundation project, to support generating Software Bill of Materials (SBoM) files which can include all the relevant metadata in BitBake recipes, the dependencies between them, and security vulnerability information. Yocto Project developer Joshua Watt is involved in drafting version 3.0 of the SPDX standard.
The Yocto Project, being an Open Source project, has many well-known users, but also many invisible ones. If your company is one of the invisible ones, you can help raise awareness of the Yocto Project without having to reveal any secret information by adding your company’s name to the list on the Project Users wiki page. Of course, more detailed testimonials such as blog posts are even better, and we will be happy to give visibility to them if you let us know through our advocacy mailing list.
Following hard-to-predict events which happened in 2022, the Yocto Project is now present on Mastodon. If you haven’t tried it yet, you will be surprised how many familiar names and faces you will find there!
The BMW Group joined the project as a Platinum member and Axis Communications also joined the project as a Silver member. We are grateful to all our members who back our community contributors through engineering time and funding!
Synesso brings the ultimate coffee experience of coffee shops to the home with the ES.1. The innovative fuzzy logic control system lets the user experiment with and fine tune all parameters of the brewing process. At the the push of the home barista’s fingertips the Yocto Project powered touch computer adjusts pressure and temperature, provides graphical analysis, records brewing profiles and automates in pursuit of the perfect recipe.