Re: [PATCH] dropbear: don't use IMAGE_FEATURES

[Richard Purdie <richard.purdie@linuxfoundation.org>]

On Mon, 2013-01-07 at 21:31 +0100, Martin Jansa wrote:
> On Mon, Jan 07, 2013 at 08:11:58PM +0000, Paul Eggleton wrote:
> > On Monday 07 January 2013 11:36:13 Richard Purdie wrote:
> > > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> > > > 
> > > >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> > > >   to debug as expected, but if you add debug-tweaks only in
> > > >   your-own-debug-image, then dropbear never sees debug-tweaks and
> > > >   your-own-debug-image won't allow empty password login.
> > > > 
> > > > * best way would be to patch dropbear to enable empty password by
> > > > 
> > > >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> > > >   like openssh_allow_empty_password does, see
> > > >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > > > 
> > > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > > > ---
> > > > 
> > > >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> > > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/meta/recipes-core/dropbear/dropbear.inc
> > > > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644
> > > > --- a/meta/recipes-core/dropbear/dropbear.inc
> > > > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP
> > > > implementation"> 
> > > >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> > > >  SECTION = "console/network"
> > > > 
> > > > -INC_PR = "r0"
> > > > +INC_PR = "r1"
> > > > 
> > > >  # some files are from other projects and have others license terms:
> > > >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > > > 
> > > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1
> > > > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> 
> > > >  EXTRA_OECONF += "\
> > > >  
> > > >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam',
> > > >   '--disable-pam', d)}"> 
> > > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks",
> > > > "debug", "",d)}" +DISTRO_TYPE ?= "debug"
> > > > 
> > > >  do_install() {
> > > >  
> > > >  	install -d ${D}${sysconfdir} \
> > > 
> > > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> > > DISTRO_FEATURES? This would bring it more into line with the other
> > > places we do things like this.
> > > 
> > > FWIW I agree this should ideally be runtime configured and we should
> > > really add an enhancement request to the bugzilla for that (or patches
> > > welcome).
> > 
> > There's already a request open:
> > 
> > https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578
> > 
> > I'd suggest leaving the current behaviour (poor as it may be) until that bug 
> > is fixed.
> 
> Building with OEBasic won't rebuild dropbear to suit IMAGE_FEATURES of
> currently build image and even with OEBasicHash I don't know which
> dropbear version will be used if I build 2 different images:
> bitbake foo-image foo-debug-image
> 
> So changing it one way or another is IMHO improvement of current
> situation until that bug is fixed properly.

Having looked into it more, the current situation is a complete mess and
for something security sensitive like this, it *needs* to behave better.
I just raised the priority of the task (medium+).

Cheers,

Richard