From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: "Alexis Lothoré" <alexis.lothore@bootlin.com>
Cc: tim.hammer@nav-timing.safrangroup.com,
nicolas.carrier@nav-timing.safrangroup.com,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 4/4] package/compliance-as-code: add new package
Date: Wed, 30 Jul 2025 19:18:34 +0200 [thread overview]
Message-ID: <20250730191834.6bc7f097@windsurf> (raw)
In-Reply-To: <20250730-openscap-v1-4-46e4a32e26da@bootlin.com>
Hello Alexis,
Thanks for this patch (again!). Some comments below.
On Wed, 30 Jul 2025 14:47:16 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:
> Introduce the Compliance As Code package. This project provides data
> files consumed by the openscap tool to evaluate a host compliance in
> regard with security policies. The package depends on both host-openscap
> (needed at build time to process the input files into usable files) and
> openscap (needed on the target, will use the generated files to evaluate
> the system configuration)
>
> The project is based on cmake, but it also exposes a wrapper script
> (build_product). The package uses the cmake build system, but exposes a
> few Kconfig options to replicate some of the build_product options:
> - BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY: replicates the -d
> option, building only the datastream files instead of all the files
> - BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS: allow selecting the
> product(s) for which we want to generate policies files.
>
> The default install target provided by the project expects a full build,
> and so it will try to generate all the files for all the products when
> executed (which cancels the benefit of being able to select only a
> single or a few products), so the package defines a custom install
> command.
Very nice commit message. Perhaps too nice as it makes me think: what
about a support/testing/ test case for this package?
Commit title should be:
package/compliance-as-code: new package
> Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
> ---
> package/Config.in | 1 +
> package/compliance-as-code/Config.in | 35 ++++++++++++++++++++++
> package/compliance-as-code/compliance-as-code.hash | 5 ++++
> package/compliance-as-code/compliance-as-code.mk | 34 +++++++++++++++++++++
> 4 files changed, 75 insertions(+)
Entry in the DEVELOPERS file.
> diff --git a/package/compliance-as-code/Config.in b/package/compliance-as-code/Config.in
> new file mode 100644
> index 0000000000000000000000000000000000000000..402bf2ba8610808f4d536f5d102348a879fb4d5d
> --- /dev/null
> +++ b/package/compliance-as-code/Config.in
> @@ -0,0 +1,35 @@
> +config BR2_PACKAGE_COMPLIANCE_AS_CODE
> + bool "compliance-as-code"
> + depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS # openscap
> + depends on !BR2_STATIC_LIBS # dlfcn.h
I guess this comes also from openscap, so the comment should also be
# openscap
> + select BR2_PACKAGE_HOST_OPENSCAP
Not needed, this option does not exists.
> + select BR2_PACKAGE_OPENSCAP
> + select BR2_PACKAGE_HOST_PYTHON
This option does not exist, and it's not necessary to select
BR2_PACKAGE_HOST_PYTHON3.
> + select BR2_PACKAGE_HOST_PYTHON_PYAML
This option does not exist, it's BR2_PACKAGE_HOST_PYTHON_PYYAML, but
selecting it is not needed.
> + select BR2_PACKAGE_HOST_PYTHON_JINJA2
This option does not exist.
> + select BR2_PACKAGE_HOST_LIBXSLT
This option does not exist.
> + select BR2_PACKAGE_HOST_LIBXML2
This option does not exist.
Basically, you almost never need to select the option of host packages.
The only case is if you need a sub-option of a host package, like
BR2_PACKAGE_HOST_PYTHON3_BZIP2 for example.
> diff --git a/package/compliance-as-code/compliance-as-code.hash b/package/compliance-as-code/compliance-as-code.hash
> new file mode 100644
> index 0000000000000000000000000000000000000000..7b100dc4be54126a4c8f1f84b918d26196cc0d7d
> --- /dev/null
> +++ b/package/compliance-as-code/compliance-as-code.hash
> @@ -0,0 +1,5 @@
> +
> +# Locally calculated
> +sha256 bb79e996035a1d985c49e5df8988a5d5f2310f5b3b5d49492f95a6845db00f43 compliance-as-code-0.1.77.tar.gz
> +# Locally calculated
> +sha256 ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298 LICENSE
> diff --git a/package/compliance-as-code/compliance-as-code.mk b/package/compliance-as-code/compliance-as-code.mk
> new file mode 100644
> index 0000000000000000000000000000000000000000..dc273403c52371753bb6076c7b0b381d5958749f
> --- /dev/null
> +++ b/package/compliance-as-code/compliance-as-code.mk
> @@ -0,0 +1,34 @@
> +################################################################################
> +#
> +# Compliance As Code
> +#
> +################################################################################
> +
> +COMPLIANCE_AS_CODE_VERSION = 0.1.77
> +COMPLIANCE_AS_CODE_SITE = $(call github,ComplianceAsCode,content,v$(COMPLIANCE_AS_CODE_VERSION))
> +COMPLIANCE_AS_CODE_LICENSE = BSD-3-Clause
> +COMPLIANCE_AS_CODE_LICENSE_FILES = LICENSE
> +COMPLIANCE_AS_CODE_REDISTRIBUTE = NO
Why? If it's BSD-3-Clause.
> +COMPLIANCE_AS_CODE_DEPENDENCIES = \
> + host-python3 \
> + host-openscap \
> + openscap \
> + host-python-jinja2 \
> + host-python-pyyaml \
> + host-libxslt \
> + host-libxml2
I assume you verified all those host dependencies are actually needed?
> +
> +COMPLIANCE_AS_CODE_CONF_ENV = OPENSCAP_ROOT_DIR=$(HOST_DIR)
> +COMPLIANCE_AS_CODE_SUPPORTS_IN_SOURCE_BUILD = NO
> +COMPLIANCE_AS_CODE_MAKE_OPTS = \
> + $(foreach p,\
> + $(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
> + $(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))
How does that work when
BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y and
BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS is empty? This will lead to
COMPLIANCE_AS_CODE_MAKE_OPTS being empty, so I don't see how the build
can differentiate BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y vs.
BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY disabled.
> +define COMPLIANCE_AS_CODE_INSTALL_TARGET_CMDS
> + mkdir -p $(TARGET_DIR)/etc/openscap
> + rsync -a $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/
We often use:
cp -dpfr $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/
for this kind of situation.
Thanks!
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2025-07-30 17:18 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-30 12:47 [Buildroot] [PATCH 0/4] package/compliance-as-code: introduce new package Alexis Lothoré via buildroot
2025-07-30 12:47 ` [Buildroot] [PATCH 1/4] package/libxmlsec1: Add libxmlsec1 used by openSCAP Alexis Lothoré via buildroot
2025-07-30 16:53 ` Thomas Petazzoni via buildroot
2025-07-30 17:18 ` Alexis Lothoré via buildroot
2025-07-30 12:47 ` [Buildroot] [PATCH 2/4] package/libcurl: Reapply "libcurl: add host variant" Alexis Lothoré via buildroot
2025-07-30 16:55 ` Thomas Petazzoni via buildroot
2025-07-30 12:47 ` [Buildroot] [PATCH 3/4] package/openscap: add openscap package Alexis Lothoré via buildroot
2025-07-30 17:02 ` Thomas Petazzoni via buildroot
2025-07-31 12:34 ` Alexis Lothoré via buildroot
2025-07-31 12:48 ` Thomas Petazzoni via buildroot
2025-07-31 13:14 ` Alexis Lothoré via buildroot
2025-07-31 14:39 ` Thomas Petazzoni via buildroot
2025-07-30 12:47 ` [Buildroot] [PATCH 4/4] package/compliance-as-code: add new package Alexis Lothoré via buildroot
2025-07-30 17:18 ` Thomas Petazzoni via buildroot [this message]
2025-07-30 18:09 ` Alexis Lothoré via buildroot
2025-07-30 19:29 ` Thomas Petazzoni via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250730191834.6bc7f097@windsurf \
--to=buildroot@buildroot.org \
--cc=alexis.lothore@bootlin.com \
--cc=nicolas.carrier@nav-timing.safrangroup.com \
--cc=thomas.petazzoni@bootlin.com \
--cc=tim.hammer@nav-timing.safrangroup.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.