THis is bumping dependencies to fix known CVEs, with the exception of
OpenImageIO which also includes bugfixes for performance and correctness
with some image types.
zlib 1.2.12 -> 1.2.13
freetype 2.11.1 -> 2.12.1
openimageio 2.3.13.0 -> 2.3.20.0
python 3.10.2 -> 3.10.8
openjpeg 2.4.0 -> 2.5.0
ffmpeg 5.0 -> 5.1.2
sndfile 1.0.28 -> 1.1.0
xml2 2.9.10 -> 2.10.3
expat 2.4.4 -> 2.4.9
openssl 1.1.1g/i -> 1.1.1q
sqlite 3.31.1 -> 3.37.2
Notable changes:
* AOM: the hack we had in place to make it not detect pthreads on windows no
longer worked with a more recent cmake version. Disabled pthreads with a
diff on Windows.
* Python: embedded copy of zlib 2.1.12 swapped out for our 2.1.13 copy with
some folder manipulation on Windows.
* Freetype: was harbouring a copy of zlib 2.1.12 as well, so that had to end.
* FFmpeg: patch used to fix D11796 is no longer needed. Add new patch to deal
with simple_idct.asm generating an object file with no sections in it,
backport from upstream commit.
* TinyXML: still being downloaded but no longer used by OpenColorIO, removed.
* GMP applied upstream patch to fix CVE-2021-43618, as there is no release yet.
* SQLite and Libsndfile patches no longer needed.
Includes contributes by Ray Molenkamp, Campbell Barton and Brecht Van Lommel.
Ref T101403
Differential Revision: https://developer.blender.org/D16269
* OpenEXR 3.1.4 -> 3.1.5, this fixes several issues OSS fuzz found.
* libtiff 4.3.0 -> 4.4.0, this fixes several CVE's.
This also converts the harvest of libtiff on windows to a post install handler,
there's a few left but Windows is getting close to being harvest free.
Differential Revision: https://developer.blender.org/D15478
Use a shorter/simpler license convention, stops the header taking so
much space.
Follow the SPDX license specification: https://spdx.org/licenses
- C/C++/objc/objc++
- Python
- Shell Scripts
- CMake, GNUmakefile
While most of the source tree has been included
- `./extern/` was left out.
- `./intern/cycles` & `./intern/atomic` are also excluded because they
use different header conventions.
doc/license/SPDX-license-identifiers.txt has been added to list SPDX all
used identifiers.
See P2788 for the script that automated these edits.
Reviewed By: brecht, mont29, sergey
Ref D14069
Allow downloading of source packages of Blender's dependencies, so that
it's easier to provide a "full source archive" that contains the blender
source + all dependencies archives. A `make` command for this will be
introduced soon.
This changes the deps builder slightly to be more flexible with the
origin of our source packages.
To support this a new CMake variable has been added called `PACKAGE_DIR`
where all sources archives will be stored.
default: a directory called `packages` in the build folder.
alternative-default: if a directory called `packages` exists in the
blender source folder that will be used. This is to support the "full
source archive" use case.
The download phase have been moved from the build phase to the configure
phase. Configure will download all sources validate the hashes while
downloading.
All `[depname].cmake` files have been changed to take a local
`file://[path_to_local_tarball]` path rather than a remote URI.
A second requirement was that there needed to be an option to grab the
sources from the blender SVN mirror rather than upstream. For this an
option has been added PACKAGE_USE_UPSTREAM_SOURCES (default ON). The
exact location in SVN still needs to be worked out, I tested with my
local webserver and codewise it checks out. The path that is in there
currently will not work (given there is no mirror there yet).
To build this mirror our local package caches can be used.
Reviewed By: lazydodo
Differential Revision: https://developer.blender.org/D10598
Set of fixes which had to be made in order to have dependencies built
on own laptop:
- Require bison as a dependent software. It is required by ISPC.
On macOS it is required to be installed via Homebrew. This is because
Bison from Xcode toolchain is too old.
- Made sure Boost is compiled using clang.
Without this gcc was used, and some unsupported command line argument
was passed to it.
- Modify OGG in a way which does in fact pull fixed sized types.
They are defined in stdint.h.
Without this fix FFmpeg will not detect presence of OGG because the
test program fails to compile.
- Force disable zstd compression and make wepb optional for the TIFF
library. Without this TIFF might pick up development libraries from
Homebrew.
Differential Revision: https://developer.blender.org/D8221
Note these are intended for platform maintainers, we do not intend to
support users making their own builds with these. For that precompiled
libraries from lib/ should be used.
Implemented by Martijn Berger, Ray Molenkamp and Brecht Van Lommel.
Differential Revision: https://developer.blender.org/D2753
