12 files changed, 441 insertions, 68 deletions

diff --git a/meta-multimedia/recipes-multimedia/pipewire/pipewire_1.4.3.bb b/meta-multimedia/recipes-multimedia/pipewire/pipewire_1.4.4.bb
index 5fe8a1c105..5eefb07532 100644
--- a/meta-multimedia/recipes-multimedia/pipewire/pipewire_1.4.3.bb
+++ b/meta-multimedia/recipes-multimedia/pipewire/pipewire_1.4.4.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = " \
 
 DEPENDS = "dbus ncurses"
 
-SRCREV = "331d5e03516a99c56b3064dbbbd639a3ae848d36"
+SRCREV = "3f79bcae5d4415f82907b49221ca05241a7f263c"
 BRANCH = "${@oe.utils.trim_version('${PV}', 2)}"
 SRC_URI = "git://gitlab.freedesktop.org/pipewire/pipewire.git;branch=${BRANCH};protocol=https"
 
diff --git a/meta-oe/classes/discoverable-disk-image.bbclass b/meta-oe/classes/discoverable-disk-image.bbclass
new file mode 100644
index 0000000000..e601bf452f
--- /dev/null
+++ b/meta-oe/classes/discoverable-disk-image.bbclass
@@ -0,0 +1,132 @@
+##
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: MIT
+#
+#
+# Discoverable Disk Image (DDI)
+#
+# "DDIs (Discoverable Disk Images) are self-describing file system
+# images that follow the DPS ( Discoverable Partitions Specification),
+# wrapped in a GPT partition table, that may contain root (or /usr/)
+# filesystems for bootable OS images, system extensions, configuration
+# extensions, portable services, containers and more, and shall be
+# protected by signed dm-verity all combined into one. They are
+# designed to be composable and stackable, and provide security by
+# default."
+# https://uapi-group.org/specifications/specs/discoverable_disk_image/
+# https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+# https://www.freedesktop.org/software/systemd/man/latest/systemd.image-policy.html
+
+# To be able to use discoverable-disk-images with a
+# root-verity-sig or usr-verity-sig configuration:
+# - systemd needs to include the PACKAGECONFIG 'cryptsetup', and
+# - the kernel needs the following features enabled:
+#   CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
+#   CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING=y
+#   CONFIG_EROFS_FS=y
+#   CONFIG_EROFS_FS_XATTR=y
+#   CONFIG_EROFS_FS_ZIP=y
+#   CONFIG_EROFS_FS_ZIP_LZMA=y
+#   CONFIG_INTEGRITY_SIGNATURE=y
+#   CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+#   CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+#   CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+#   CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+#   CONFIG_SIGNATURE=y
+
+# To sign DDIs, a key and certificate need to be provided by setting
+# the variables:
+#   REPART_PRIVATE_KEY
+#     private key so sign the verity-hash
+#   REPART_PRIVATE_KEY_SOURCE
+#     optional, can be "engine:pkcs11" when using a (soft)hsm
+#   REPART_CERTIFICATE
+#     corresponding public certificate, in .pem format
+#
+
+# For signature verification, systemd-sysext expects the matching
+# certificate to reside in /etc/verity.d as PEM formated .crt file.
+#
+# To enforce loading of only signed extension images, an appropriate
+# image policy has to be passed to systemd-sysext, e.g.:
+# systemd-sysext --image-policy='root=signed+absent:usr=signed+absent:=unused+absent' merge
+
+# 'systemd-dissect' can be used to inspect, manually mount, ... a DDI.
+
+inherit image
+
+IMAGE_FSTYPES = "ddi"
+
+DEPENDS += " \
+    systemd-repart-native \
+    erofs-utils-native \
+    openssl-native \
+"
+
+# systemd-repart --make-ddi takes one of "sysext", "confext" or "portable",
+# which it then takes and looks up definitions in the host os; which we need
+# to divert to the sysroot-native by setting '--definitions=' instead.
+#
+REPART_DDI_TYPE ?= "sysext"
+
+REPART_DDI_EXTENSION ?= "ddi"
+
+# systemd-repart creates temporary directoryies under /var/tmp/.#repartXXXXXXX/,
+# to estimate partition size etc. Since files are copied there from the image/rootfs
+# folder - which are owned by pseudo-root - this temporary location has to be
+# added to the directories handled by pseudo; otherwise calls to e.g.
+# fchown(0,0) inside systemd git/src/shared/copy.c end up failing.
+PSEUDO_INCLUDE_PATHS .= ",/var/tmp/"
+
+oe_image_systemd_repart_make_ddi() {
+
+    local additional_args=""
+
+    if [ -n "${REPART_PRIVATE_KEY}" ]
+    then
+        if [ -n "${REPART_PRIVATE_KEY_SOURCE}" ]
+        then
+            additional_args="$additional_args --private-key-source=${REPART_PRIVATE_KEY_SOURCE}"
+        fi
+        additional_args="$additional_args --private-key=${REPART_PRIVATE_KEY}"
+    fi
+
+    if [ -n "${REPART_CERTIFICATE}" ]
+    then
+        additional_args="$additional_args --certificate=${REPART_CERTIFICATE}"
+    fi
+
+    # map architectures to systemd's expected values
+    local systemd_arch="${TARGET_ARCH}"
+    case "${systemd_arch}" in
+        aarch64)
+        systemd_arch=arm64
+        ;;
+        x86_64)
+        systemd_arch=x86-64
+        ;;
+    esac
+
+    # prepare system-repart configuration
+    mkdir -p ${B}/definitions.repart.d
+    cp ${STAGING_LIBDIR_NATIVE}/systemd/repart/definitions/${REPART_DDI_TYPE}.repart.d/* ${B}/definitions.repart.d/
+    # enable erofs compression
+    sed -i "/^Compression/d" ${B}/definitions.repart.d/10-root.conf
+    echo "Compression=lzma\nCompressionLevel=3" >> ${B}/definitions.repart.d/10-root.conf
+    # disable verity signature partition creation, if no key is provided
+    if [ -z "${REPART_PRIVATE_KEY}" ]; then
+        rm ${B}/definitions.repart.d/30-root-verity-sig.conf
+    fi
+
+    systemd-repart \
+        --definitions="${B}/definitions.repart.d/" \
+        --copy-source="${IMAGE_ROOTFS}" \
+        --empty=create --size=auto --dry-run=no --offline=yes \
+        --architecture="${systemd_arch}" \
+        --json=pretty --no-pager $additional_args \
+        "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${REPART_DDI_EXTENSION}"
+}
+
+IMAGE_CMD:ddi = "oe_image_systemd_repart_make_ddi"
+do_image_ddi[deptask] += "do_unpack"
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 8af7bbf8e0..c9759e9198 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -54,7 +54,7 @@
 SIGNING_PKCS11_URI ?= ""
 SIGNING_PKCS11_MODULE ?= ""
 
-DEPENDS += "softhsm-native libp11-native opensc-native openssl-native"
+DEPENDS += "softhsm-native libp11-native opensc-native openssl-native extract-cert-native"
 
 def signing_class_prepare(d):
     import os.path
@@ -123,58 +123,122 @@ signing_import_define_role() {
     echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_
 }
 
-# signing_import_cert_from_der <role> <der>
+# signing_import_cert_from_der <cert_name> <der>
 #
-# Import a certificate from DER file to a role. To be used
-# with SoftHSM.
+# Import a certificate from DER file to a cert_name.
+# Where the <cert_name> can either be a previously setup
+# signing_import_define_role linking the certificate to a signing key,
+# or a new identifier when dealing with a standalone certificate.
+#
+# To be used with SoftHSM.
 signing_import_cert_from_der() {
-    local role="${1}"
+    local cert_name="${1}"
     local der="${2}"
 
-    signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
+    # check wether the cert_name/role needs to be defined first,
+    # or do so otherwise
+    local uri=$(siging_get_uri $cert_name)
+    if [ -z "$uri" ]; then
+        signing_import_define_role "$cert_name"
+    fi
+
+    signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}"
 }
 
-# signing_import_cert_chain_from_pem <role> <pem>
+# signing_import_set_ca <cert_name> <ca_cert_name>
 #
+# Link the certificate from <cert_name> to its issuer stored in
+# <ca_cert_name> By walking this linked list a CA-chain can later be
+# reconstructed from the involed roles.
+signing_import_set_ca() {
+    local cert_name="${1}"
+    local ca_cert_name="${2}"
+
+    echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_
+    echo "added link from ${cert_name} to ${ca_cert_name}"
+}
 
-# Import a certificate *chain* from a PEM file to a role.
-# (e.g. multiple ones concatenated in one file)
+# signing_get_ca <cert_name>
 #
-# Due to limitations in the toolchain:
-#   signing class -> softhsm -> 'extract-cert'
-# the input certificate is split into a sequentially numbered list of roles,
-# starting at <role>_1
+# returns the <ca_cert_name> that has been set previously through
+# signing_import_set_ca; or the empty string if none was set
+signing_get_ca() {
+    local cert_name="${1}"
+
+    eval local ca_cert_name="\$_SIGNING_CA_${cert_name}_"
+    echo "$ca_cert_name"
+}
+
+# signing_has_ca <cert_name>
 #
-# (The limitations are the conversion step from x509 to a plain .der, and
-# extract-cert expecting a x509 and then producing only plain .der again)
-signing_import_cert_chain_from_pem() {
-    local role="${1}"
-    local pem="${2}"
-    local i=1
-
-    cat "${pem}" | \
-        while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do
-            signing_import_define_role "${role}_${i}"
-            signing_pkcs11_tool --type cert \
-                                --write-object  ${B}/temp_${i}.der \
-                                --label "${role}_${i}"
-            rm ${B}/temp_${i}.der
-            echo "imported ${pem} under role: ${role}_${i}"
-            i=$(awk "BEGIN {print $i+1}")
-        done
+# check if the cert_name links to another cert_name that is its
+# certificate authority/issuer.
+signing_has_ca() {
+    local ca_cert_name="$(signing_get_ca ${1})"
+
+    test -n "$ca_cert_name"
+    return $?
 }
 
-# signing_import_cert_from_pem <role> <pem>
+# signing_get_intermediate_certs <cert_name>
 #
-# Import a certificate from PEM file to a role. To be used
-# with SoftHSM.
+# return a list of role/name intermediary CA certificates for a given
+# <cert_name> by walking the chain setup with signing_import_set_ca.
+#
+# The returned list will not include the the root CA, and can
+# potentially be empty.
+#
+# To be used with SoftHSM.
+signing_get_intermediate_certs() {
+    local cert_name="${1}"
+    local intermediary=""
+    while signing_has_ca "${cert_name}"; do
+        cert_name="$(signing_get_ca ${cert_name})"
+        if signing_has_ca "${cert_name}"; then
+            intermediary="${intermediary} ${cert_name}"
+        fi
+    done
+    echo "${intermediary}"
+}
+
+# signing_get_root_cert <cert_name>
+#
+# return the role/name of the CA root certificate for a given
+# <cert_name>, by walking the chain setup with signing_import_set_ca
+# all the way to the last in line that doesn't have a CA set - which
+# would be the root.
+#
+# To be used with SoftHSM.
+signing_get_root_cert() {
+    local cert_name="${1}"
+    while signing_has_ca "${cert_name}"; do
+        cert_name="$(signing_get_ca ${cert_name})"
+    done
+    echo "${cert_name}"
+}
+
+# signing_import_cert_from_pem <cert_name> <pem>
+#
+# Import a certificate from PEM file to a cert_name.
+# Where the <cert_name> can either be a previously setup
+# signing_import_define_role linking the certificate to a signing key,
+# or a new identifier when dealing with a standalone certificate.
+#
+# To be used with SoftHSM.
 signing_import_cert_from_pem() {
-    local role="${1}"
+    local cert_name="${1}"
     local pem="${2}"
 
+    # check wether the cert_name/role needs to be defined first,
+    # or do so otherwise
+    local uri=$(siging_get_uri $cert_name)
+    if [ -z "$uri" ]; then
+        signing_import_define_role "$cert_name"
+    fi
+
     openssl x509 \
         -in "${pem}" -inform pem -outform der |
-    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}"
+    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
 }
 
 # signing_import_pubkey_from_der <role> <der>
@@ -346,6 +410,30 @@ signing_get_module() {
     fi
 }
 
+# signing_extract_cert_der <role> <der>
+#
+# Export a certificate attached to a role into a DER file.
+# To be used with SoftHSM.
+signing_extract_cert_der() {
+    local role="${1}"
+    local output="${2}"
+
+    extract-cert "$(signing_get_uri $role)" "${output}"
+}
+
+# signing_extract_cert_pem <role> <pem>
+#
+# Export a certificate attached to a role into a PEM file.
+# To be used with SoftHSM.
+signing_extract_cert_pem() {
+    local role="${1}"
+    local output="${2}"
+
+    extract-cert "$(signing_get_uri $role)" "${output}.tmp-der"
+    openssl x509 -inform der -in "${output}.tmp-der" -out "${output}"
+    rm "${output}.tmp-der"
+}
+
 python () {
     signing_class_prepare(d)
 }
diff --git a/meta-oe/classes/sysext-image.bbclass b/meta-oe/classes/sysext-image.bbclass
new file mode 100644
index 0000000000..4d97b59ce3
--- /dev/null
+++ b/meta-oe/classes/sysext-image.bbclass
@@ -0,0 +1,76 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: MIT
+#
+
+# System extension images may – dynamically at runtime — extend the
+# /usr/ and /opt/ directory hierarchies with additional files. This is
+# particularly useful on immutable system images where a /usr/ and/or
+# /opt/ hierarchy residing on a read-only file system shall be
+# extended temporarily at runtime without making any persistent
+# modifications.
+
+# Example usage:
+## place a symlink into the systemd-sysext image search path:
+# $> mkdir /run/extensions
+# $> ln -s /tmp/extension-example.sysext.ddi /run/extensions/example.raw
+## list all available extensions:
+# $> systemd-sysext list
+## and enable the found extensions:
+# $> SYSTEMD_LOG_LEVEL=debug systemd-sysext merge
+
+# Note: PACKAGECONFIG:pn-systemd needs to include 'sysext'
+
+# systemd-sysext [1] has a simple mechanism for version compatibility:
+# the extension to be loaded has to contain a file named
+# /usr/lib/extension-release.d/extension-release.NAME
+# with "NAME" part *exactly* matching the filename of the extensions
+# raw-device filename/
+#
+# From the extension-release file the "ID" and "VERSION_ID" fields are
+# matched against same fields present in `os-release` and the extension
+# is "merged" only if values in both fields from both files are an
+# exact match.
+#
+# Link: https://www.freedesktop.org/software/systemd/man/latest/systemd-sysext.html
+
+inherit image
+
+# Include '.sysext' in the deployed image filename and symlink
+IMAGE_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_VERSION_SUFFIX}.sysext"
+IMAGE_LINK_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}.sysext"
+EXTENSION_NAME = "${IMAGE_LINK_NAME}.${IMAGE_FSTYPES}"
+
+# Base extension identification fields
+EXTENSION_ID_FIELD ?= "${DISTRO}"
+EXTENSION_VERSION_FIELD ?= "${DISTRO_VERSION}"
+
+sysext_image_add_version_identifier_file() {
+    # Use matching based on Distro name and version
+    echo 'ID=${EXTENSION_ID_FIELD}' > ${WORKDIR}/extension-release.base
+    # os-release.bb does "sanitise_value(ver)", which needs to be done here too
+    echo 'VERSION_ID=${EXTENSION_VERSION_FIELD}' \
+        | sed 's,+,-,g;s, ,_,g' \
+        >> ${WORKDIR}/extension-release.base
+
+    # Instruct `systemd-sysext` to perform re-load once extension image is verified
+    echo 'EXTENSION_RELOAD_MANAGER=1' >> ${WORKDIR}/extension-release.base
+
+    install -d ${IMAGE_ROOTFS}${nonarch_libdir}/extension-release.d
+    install -m 0644 ${WORKDIR}/extension-release.base \
+        ${IMAGE_ROOTFS}${nonarch_libdir}/extension-release.d/extension-release.${EXTENSION_NAME}
+
+    # systemd-sysext expects an extension-release file of the exact same name as the image;
+    # by setting a xattr we allow renaming of the extension image file.
+    # (Kernel: this requires xattr support in the used filesystem)
+    setfattr -n user.extension-release.strict -v false \
+        ${IMAGE_ROOTFS}${nonarch_libdir}/extension-release.d/extension-release.${EXTENSION_NAME}
+}
+
+ROOTFS_POSTPROCESS_COMMAND += "sysext_image_add_version_identifier_file"
+
+# remove 'os-release' from the packages to be installed into the image.
+# systemd-sysext otherwise raises the error:
+# Extension contains '/usr/lib/os-release', which is not allowed, refusing.
+PACKAGE_EXCLUDE += "os-release"
diff --git a/meta-oe/recipes-core/systemd/systemd-repart-native_257.6.bb b/meta-oe/recipes-core/systemd/systemd-repart-native_257.6.bb
new file mode 100644
index 0000000000..15b60af02e
--- /dev/null
+++ b/meta-oe/recipes-core/systemd/systemd-repart-native_257.6.bb
@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: MIT
+#
+# Copyright Leica Geosystems AG
+#
+
+SUMMARY = "systemd-repart"
+DESCRIPTION = "systemd-repart grows and adds partitions to a partition table, based on the configuration files described in repart.d(5), or generates a Discoverable Disk Image (DDI) for a system extension (sysext, see systemd-sysext(8))."
+HOMEPAGE = "http://www.freedesktop.org/wiki/Software/systemd"
+
+LICENSE = "GPL-2.0-only & LGPL-2.1-or-later"
+LICENSE:libsystemd = "LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
+                    file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
+
+SRCREV = "00a12c234e2506f5cab683460199575f13c454db"
+SRCBRANCH = "v257-stable"
+SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH}"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = " \
+    cryptsetup-native \
+    gperf-native \
+    libcap \
+    python3-jinja2-native \
+    util-linux \
+"
+
+inherit meson pkgconfig gettext native
+
+MESON_TARGET = "systemd-repart"
+
+# Helper variables to clarify locations. This mirrors the logic in systemd's
+# build system.
+rootprefix ?= "${root_prefix}"
+rootlibdir ?= "${base_libdir}"
+rootlibexecdir = "${rootprefix}/lib"
+
+EXTRA_OEMESON += "-Dnobody-user=nobody \
+    -Dnobody-group=nogroup \
+    -Drootlibdir=${rootlibdir} \
+    -Drootprefix=${rootprefix} \
+    -Ddefault-locale=C \
+    -Dmode=release \
+    -Dsystem-alloc-uid-min=101 \
+    -Dsystem-uid-max=999 \
+    -Dsystem-alloc-gid-min=101 \
+    -Dsystem-gid-max=999 \
+"
+
+do_install() {
+    install -d ${D}${bindir}/
+    install -m 0755 ${B}/systemd-repart ${D}${bindir}/systemd-repart
+    install -d ${D}${libdir}/
+    install -m 0644 ${B}/src/shared/libsystemd-shared-257.so ${D}${libdir}/libsystemd-shared-257.so
+
+    install -d ${D}${libdir}/systemd/repart/
+    cp -r ${S}/src/repart/definitions ${D}${libdir}/systemd/repart/
+}
diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/0005-Fix-GCC15-warning-that-ciso646-is-deprecated-in-C-17.patch b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/0005-Fix-GCC15-warning-that-ciso646-is-deprecated-in-C-17.patch
new file mode 100644
index 0000000000..7fe9ab4708
--- /dev/null
+++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/0005-Fix-GCC15-warning-that-ciso646-is-deprecated-in-C-17.patch
@@ -0,0 +1,43 @@
+From aa102147cdfff3aa971e61038a6455bff6828350 Mon Sep 17 00:00:00 2001
+From: Derek Mauro <dmauro@google.com>
+Date: Tue, 29 Apr 2025 06:23:36 -0700
+Subject: [PATCH] Fix GCC15 warning that <ciso646> is deprecated in C++17
+
+PiperOrigin-RevId: 752709743
+Change-Id: I4d6b52bca913d888818e1380268089743b03ca2b
+Upstream-Status: Backport [https://github.com/abseil/abseil-cpp/commit/5f3435aba00bcd7f12062d2e8e1839b4eaf1a575]
+---
+ absl/hash/internal/hash.h | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/absl/hash/internal/hash.h b/absl/hash/internal/hash.h
+index f4a0d785..6937f413 100644
+--- a/absl/hash/internal/hash.h
++++ b/absl/hash/internal/hash.h
+@@ -26,13 +26,25 @@
+ 
+ #include "absl/base/config.h"
+ 
++// GCC15 warns that <ciso646> is deprecated in C++17 and suggests using
++// <version> instead, even though <version> is not available in C++17 mode prior
++// to GCC9.
++#if defined(__has_include)
++#if __has_include(<version>)
++#define ABSL_INTERNAL_VERSION_HEADER_AVAILABLE 1
++#endif
++#endif
++
+ // For feature testing and determining which headers can be included.
+-#if ABSL_INTERNAL_CPLUSPLUS_LANG >= 202002L
++#if ABSL_INTERNAL_CPLUSPLUS_LANG >= 202002L || \
++    ABSL_INTERNAL_VERSION_HEADER_AVAILABLE
+ #include <version>
+ #else
+ #include <ciso646>
+ #endif
+ 
++#undef ABSL_INTERNAL_VERSION_HEADER_AVAILABLE
++
+ #include <algorithm>
+ #include <array>
+ #include <bitset>
diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_20250127.1.bb b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_20250127.1.bb
index 5368dfaada..39c3b0b6db 100644
--- a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_20250127.1.bb
+++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_20250127.1.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH};protocol=https \
            file://0002-Remove-maes-option-from-cross-compilation.patch \
            file://0003-Remove-neon-option-from-cross-compilation.patch \
            file://0004-abseil-ppc-fixes.patch \
+           file://0005-Fix-GCC15-warning-that-ciso646-is-deprecated-in-C-17.patch \
            "
 
 S = "${WORKDIR}/git"
diff --git a/meta-oe/recipes-support/bvi/bvi_1.4.2.bb b/meta-oe/recipes-support/bvi/bvi_1.4.2.bb
index b0081794d0..fb136e16a6 100644
--- a/meta-oe/recipes-support/bvi/bvi_1.4.2.bb
+++ b/meta-oe/recipes-support/bvi/bvi_1.4.2.bb
@@ -2,10 +2,10 @@ SUMMARY = "Binary VI editor"
 DESCRIPTION = "bvi is a visual editor for binary files."
 HOMEPAGE = "https://sourceforge.net/projects/bvi"
 SECTION = "console/utils"
-LICENSE = "GPL-3.0-only"
+LICENSE = "GPL-3.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=a36207309d382da27cd66fdaae922e3c"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/bvi/bvi-${PV}.src.tar.gz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.src.tar.gz"
 SRC_URI[sha256sum] = "4bba16c2b496963a9b939336c0abcc8d488664492080ae43a86da18cf4ce94f2"
 
 DEPENDS += "ncurses"
diff --git a/meta-oe/recipes-support/libserialmodule/libserialmodule_1.0.7.bb b/meta-oe/recipes-support/libserialmodule/libserialmodule_1.0.8.bb
index ac5a3eaf09..7994907e13 100644
--- a/meta-oe/recipes-support/libserialmodule/libserialmodule_1.0.7.bb
+++ b/meta-oe/recipes-support/libserialmodule/libserialmodule_1.0.8.bb
@@ -6,7 +6,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=22cdd382a6275cb4c2e75c517952ac7c"
 DEPENDS = "libsimplelog"
 SRC_URI = "git://git@github.com/thuanalg/libserialmodule.git;branch=main;protocol=https;tag=v${PV}"
-SRCREV = "b5a5a436900d0bd69f990ca062de916c65f7e2e0"
+SRCREV = "f89f98ff0c9d0aaee2624d40addb0687a74c5d81"
 S = "${WORKDIR}/git"
 inherit cmake
 EXTRA_OECMAKE = "-DUNIX_LINUX=1 -DMETA_OPENEMBEDDED=1"
diff --git a/meta-python/recipes-devtools/python/python3-charset-normalizer/0001-pyproject.toml-Relax-version-for-mypy.patch b/meta-python/recipes-devtools/python/python3-charset-normalizer/0001-pyproject.toml-Relax-version-for-mypy.patch
deleted file mode 100644
index d544caaa17..0000000000
--- a/meta-python/recipes-devtools/python/python3-charset-normalizer/0001-pyproject.toml-Relax-version-for-mypy.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 57b626d6d8c247c9203dde51a988b9401abe065c Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 9 Apr 2025 23:44:44 -0700
-Subject: [PATCH] pyproject.toml: Relax version for mypy
-
-It asks for mypy <= 1.14.0 but we have 1.15.x
-already in meta-python
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- pyproject.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pyproject.toml b/pyproject.toml
-index bbb8227..ad42715 100644
---- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -1,5 +1,5 @@
- [build-system]
--requires = ["setuptools", "setuptools-scm", "mypy>=1.4.1,<=1.14.0"]
-+requires = ["setuptools", "setuptools-scm", "mypy>=1.4.1,<=1.16.0"]
- build-backend = "setuptools.build_meta"
- 
- [project]
diff --git a/meta-python/recipes-devtools/python/python3-charset-normalizer_3.4.1.bb b/meta-python/recipes-devtools/python/python3-charset-normalizer_3.4.2.bb
index 4f9b09ef93..e62306fff3 100644
--- a/meta-python/recipes-devtools/python/python3-charset-normalizer_3.4.1.bb
+++ b/meta-python/recipes-devtools/python/python3-charset-normalizer_3.4.2.bb
@@ -3,8 +3,7 @@ HOMEPAGE = "https://github.com/ousret/charset_normalizer"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=48178f3fc1374ad7e830412f812bde05"
 
-SRC_URI += "file://0001-pyproject.toml-Relax-version-for-mypy.patch"
-SRC_URI[sha256sum] = "44251f18cd68a75b56585dd00dae26183e102cd5e0f9f1466e6df5da2ed64ea3"
+SRC_URI[sha256sum] = "5baececa9ecba31eff645232d59845c07aa030f0c81ee70184a90d35099a0e63"
 
 DEPENDS += "python3-setuptools-scm-native python3-mypy-native"
 
diff --git a/meta-python/recipes-devtools/python/python3-typer_0.15.4.bb b/meta-python/recipes-devtools/python/python3-typer_0.16.0.bb
index 26b0c042be..87e258ae1f 100644
--- a/meta-python/recipes-devtools/python/python3-typer_0.15.4.bb
+++ b/meta-python/recipes-devtools/python/python3-typer_0.16.0.bb
@@ -3,11 +3,11 @@ DESCRIPTION = "\
     Typer is a library for building CLI applications that users will love using and developers will love creating. Based on Python type hints. \
     It's also a command line tool to run scripts, automatically converting them to CLI applications. \
 "
-HOMEPAGE = "https://github.com/tiangolo/typer"
+HOMEPAGE = "https://github.com/fastapi/typer"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=173d405eb704b1499218013178722617"
 
-SRC_URI[sha256sum] = "89507b104f9b6a0730354f27c39fae5b63ccd0c95b1ce1f1a6ba0cfd329997c3"
+SRC_URI[sha256sum] = "af377ffaee1dbe37ae9440cb4e8f11686ea5ce4e9bae01b84ae7c63b87f1dd3b"
 
 inherit pypi python_setuptools_build_meta ptest