[meta-security,kirkstone][PATCH 0/5] sssd: fix python3 support

[meta-security,kirkstone][PATCH 0/5] sssd: fix python3 support

[Gaël PORTAY]

Dear Maintainers,

This patch series brings several fixes to enable the support for python3
to the recipe sssd.

I have tested the build on the branch kirkstone with following change to
enable python3:

	PACKAGECONFIG:append:pn-sssd = " python3"

The command below runs successfully since then, however, I have not
tested it on scarthgap (yet?).

	$ bitbake sssd

The patch series creates the new target package sssd-python; tell me if
is not misnamed (thinking about python-sssd?) or if the python script
and its modules should be part of the target package sssd instead.

Also, tell me if you want me to apply these changes on top of master.

Important: I am no expert in python packaging at all, so I have probably
made not-the-right choices in the first commit! Sorry...

Kind Regards,
Gaël PORTAY (5):
  sssd: fix missing python3.X-config script
  sssd: fix ac_cv_prog_HAVE_PYTHON3 value
  sssd: fix issue if build machine is Debian
  sssd: fix shipping python script and modules
  sssd: fix path to python3 interpreter

 recipes-security/sssd/sssd_2.5.2.bb | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

-- 
2.45.2

[meta-security,kirkstone][PATCH 1/5] sssd: fix missing python3.X-config script

[Gaël PORTAY]

The configure script checks for the utility python3.X-config to be in
$PATH; that script is shipped by the package python3-native.

The recipe does not depend on the package python3-native which causes
the task do_configure to fail.

The recipe inherits from the bbclass python3-dir that does not install
the required script to the sysroot. The bbclass python3native inherits
from (the already inherited bbclass) python3-dir and it adds the missing
dependency to python3-native.

This fixes the configure error by "upgrading" the inherit bbclass from
python3-dir to python3-native.

Fixes:

	| checking for python3.10-config... no
	| configure: error:
	| The program python3.10-config was not found in search path.
	| Please ensure that it is installed and its directory is included in the search
	| path. If you want to build sssd without python3 bindings then specify
	| --without-python3-bindings when running configure.
	| NOTE: The following config.log files may provide further information.

Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
---
 recipes-security/sssd/sssd_2.5.2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
index c07559c..fe82452 100644
--- a/recipes-security/sssd/sssd_2.5.2.bb
+++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -33,7 +33,7 @@ CVE_CHECK_IGNORE += "\
     CVE-2018-16838 \
 "
 
-inherit autotools pkgconfig gettext python3-dir features_check systemd
+inherit autotools pkgconfig gettext python3native features_check systemd
 
 REQUIRED_DISTRO_FEATURES = "pam"
 
-- 
2.45.2

[meta-security,kirkstone][PATCH 2/5] sssd: fix ac_cv_prog_HAVE_PYTHON3 value

[Gaël PORTAY]

The variable HAVE_PYTHON3 expects a boolean value[1] and the configure
script raises an error if the option --with-python3-bindings is set and
if the value HAVE_PYTHON3 is not "yes"[2].

The recipe sets a non-boolean value to ac_cv_prog_HAVE_PYTHON3 and thus
causes the task do_configure to fail.

This fixes the value set to ac_cv_prog_HAVE_PYTHON3 by setting it to yes
instead of $(PYTHON_DIR).

Fixes:

	| checking for python3... (cached) python3.10
	| configure: error:
	| The program python3 was not found in search path.
	| Please ensure that it is installed and its directory is included in the search
	| path. It is required for building python3 bindings. If you do not want to build
	| them please use argument --without-python3-bindings when running configure.
	| NOTE: The following config.log files may provide further information.

[1]: https://github.com/SSSD/sssd/blob/2.5.2/configure.ac#L323-L325
[2]: https://github.com/SSSD/sssd/blob/2.5.2/configure.ac#L353-L377

Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
---
 recipes-security/sssd/sssd_2.5.2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
index fe82452..98a4b5e 100644
--- a/recipes-security/sssd/sssd_2.5.2.bb
+++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -41,7 +41,7 @@ SSSD_UID ?= "root"
 SSSD_GID ?= "root"
 
 CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
-    ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
+    ac_cv_prog_HAVE_PYTHON3=yes \
     "
 
 PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
-- 
2.45.2

[meta-security,kirkstone][PATCH 3/5] sssd: fix issue if build machine is Debian

[Gaël PORTAY]

The configure script guesses the target system from the host if no
--with-os= is set[1]. It is untrue if cross-compiling.

The guessed host operating system is used then to do specific things
fort target build.

The commit[2] passes the downstream debian option --install-layout=deb
to setup.py[3] if the host system is debian based, and thus, it raises
the error attached below as that debian-specific option[4] is not part
of the openembedded[5] world.

This sets the Fedora operating system thanks to the existing configure
option --with-os=fedora, that is relatively sain operating system for
the needs of openembedded.

Fixes:

	| (...)/build/tmp/work/aarch64-poky-linux/sssd/2.5.2-r0/build/src/config/setup.py:25: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
	|   from distutils.core import setup
	| usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
	|    or: setup.py --help [cmd1 cmd2 ...]
	|    or: setup.py --help-commands
	|    or: setup.py cmd --help
	|
	| error: option --install-layout not recognized

Note: Upstream has introduced the "unknown" operating systemd with the
upcoming version 2.10.0[6][7]. The change can be backported.

[1]: https://github.com/SSSD/sssd/blob/2.5.2/src/external/platform.m4#L1-L31
[2]: https://github.com/SSSD/sssd/commit/e6ae55d5423434d5dc6c236e8647b33610d30e2e
[3]: https://github.com/SSSD/sssd/blob/2.5.2/Makefile.am#L32-L35
[4]: https://sources.debian.org/patches/setuptools/68.1.2-2/install-layout.diff/#L7
[5]: https://git.openembedded.org/openembedded-core/tree/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb?h=kirkstone
[6]: https://github.com/SSSD/sssd/commit/7b32dc0ab877a9061b52868b8efe6866c3144b63
[7]: https://github.com/SSSD/sssd/pull/7398

Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
---
 recipes-security/sssd/sssd_2.5.2.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
index 98a4b5e..9991667 100644
--- a/recipes-security/sssd/sssd_2.5.2.bb
+++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -73,6 +73,7 @@ EXTRA_OECONF += " \
     --without-secrets \
     --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
     --with-pid-path=/run \
+    --with-os=fedora \
 "
 
 do_configure:prepend() {
-- 
2.45.2

[meta-security,kirkstone][PATCH 4/5] sssd: fix shipping python script and modules

[Gaël PORTAY]

The project installs the python script sss_obfuscate to the /usr/sbin
directory and the modules to the /usr/lib/python3.X directory.

The recipe does not ship the python modules to the package sssd, and
thus, it raises the QA issue attached below.

This adds the python artifacts (sss_obfuscate script and module files)
to the dedicated package sssd-python.

Fixes:

	NOTE: Executing Tasks
	ERROR: sssd-2.5.2-r0 do_package: QA Issue: sssd: Files/directories were installed but not shipped in any package:
	  /usr/lib/python3.10
	  /usr/lib/python3.10/site-packages
	  /usr/lib/python3.10/site-packages/SSSDConfig-2.5.2-py3.10.egg-info
	  /usr/lib/python3.10/site-packages/pysss_nss_idmap.so
	  /usr/lib/python3.10/site-packages/pyhbac.so
	  /usr/lib/python3.10/site-packages/pysss.so
	  /usr/lib/python3.10/site-packages/pysss_murmur.so
	  /usr/lib/python3.10/site-packages/SSSDConfig
	  /usr/lib/python3.10/site-packages/SSSDConfig/sssdoptions.py
	  /usr/lib/python3.10/site-packages/SSSDConfig/ipachangeconf.py
	  /usr/lib/python3.10/site-packages/SSSDConfig/__init__.py
	  /usr/lib/python3.10/site-packages/SSSDConfig/__pycache__
	  /usr/lib/python3.10/site-packages/SSSDConfig/__pycache__/ipachangeconf.cpython-310.pyc
	  /usr/lib/python3.10/site-packages/SSSDConfig/__pycache__/__init__.cpython-310.pyc
	  /usr/lib/python3.10/site-packages/SSSDConfig/__pycache__/sssdoptions.cpython-310.pyc
	Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
	sssd: 15 installed and not shipped files. [installed-vs-shipped]
	ERROR: sssd-2.5.2-r0 do_package: Fatal QA errors were found, failing task.

Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
---
 recipes-security/sssd/sssd_2.5.2.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
index 9991667..4084d07 100644
--- a/recipes-security/sssd/sssd_2.5.2.bb
+++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -143,6 +143,7 @@ SYSTEMD_SERVICE:${PN} = " \
 "
 SYSTEMD_AUTO_ENABLE = "disable"
 
+PACKAGE_BEFORE_PN =+ "${PN}-python"
 PACKAGES =+ "libsss-sudo"
 ALLOW_EMPTY:libsss-sudo = "1"
 
@@ -151,6 +152,10 @@ FILES:${PN} += "${base_libdir}/security/pam_sss*.so  \
                 ${libdir}/krb5/* \
                 ${libdir}/ldb/* \
                 "
+FILES:${PN}-python = "${sbindir}/sss_obfuscate \
+                      ${PYTHON_SITEPACKAGES_DIR} \
+                      "
 FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
 
 RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"
+RDEPENDS:${PN}-python = "python3-core"
-- 
2.45.2

[meta-security,kirkstone][PATCH 5/5] sssd: fix path to python3 interpreter

[Gaël PORTAY]

The project uses /usr/bin/python as the path to the python3 interpreter
in the shebang of the python3 script /usr/sbin/sss_obfuscate[1].

OpenEmbedded uses /usr/bin/python3, and thus, it causes bitbake to raise
the QA issue attached below.

This fixes the path to the python3 interpreter by sed'ing the shebang at
do_install if the python3 is set in the PACKAGECONFIG.

Fixes:

	ERROR: sssd-2.5.2-r0 do_package_qa: QA Issue: /usr/sbin/sss_obfuscate contained in package sssd-python requires /usr/bin/python, but no providers found in RDEPENDS:sssd-python? [file-rdeps]
	ERROR: sssd-2.5.2-r0 do_package_qa: Fatal QA errors were found, failing task.

[1]: https://github.com/SSSD/sssd/blob/2.5.2/src/tools/sss_obfuscate#L1

Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
---
 recipes-security/sssd/sssd_2.5.2.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
index 4084d07..92e339a 100644
--- a/recipes-security/sssd/sssd_2.5.2.bb
+++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -109,6 +109,10 @@ do_install () {
         echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
     fi
 
+    if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then
+        sed '1s,/usr/bin/python,/usr/bin/python3,' -i ${D}${sbindir}/sss_obfuscate
+    fi
+
     # Remove /run as it is created on startup
     rm -rf ${D}/run
 
-- 
2.45.2

Re: [yocto-patches] [meta-security,kirkstone][PATCH 2/5] sssd: fix ac_cv_prog_HAVE_PYTHON3 value

[akuster808]

On 6/26/24 9:39 AM, "Gaël PORTAY via lists.yoctoproject.org wrote:
> The variable HAVE_PYTHON3 expects a boolean value[1] and the configure
> script raises an error if the option --with-python3-bindings is set and
> if the value HAVE_PYTHON3 is not "yes"[2].
>
> The recipe sets a non-boolean value to ac_cv_prog_HAVE_PYTHON3 and thus
> causes the task do_configure to fail.

Does this apply to master?

- armin
>
> This fixes the value set to ac_cv_prog_HAVE_PYTHON3 by setting it to yes
> instead of $(PYTHON_DIR).
>
> Fixes:
>
> 	| checking for python3... (cached) python3.10
> 	| configure: error:
> 	| The program python3 was not found in search path.
> 	| Please ensure that it is installed and its directory is included in the search
> 	| path. It is required for building python3 bindings. If you do not want to build
> 	| them please use argument --without-python3-bindings when running configure.
> 	| NOTE: The following config.log files may provide further information.
>
> [1]: https://github.com/SSSD/sssd/blob/2.5.2/configure.ac#L323-L325
> [2]: https://github.com/SSSD/sssd/blob/2.5.2/configure.ac#L353-L377
>
> Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
> ---
>   recipes-security/sssd/sssd_2.5.2.bb | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
> index fe82452..98a4b5e 100644
> --- a/recipes-security/sssd/sssd_2.5.2.bb
> +++ b/recipes-security/sssd/sssd_2.5.2.bb
> @@ -41,7 +41,7 @@ SSSD_UID ?= "root"
>   SSSD_GID ?= "root"
>   
>   CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
> -    ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
> +    ac_cv_prog_HAVE_PYTHON3=yes \
>       "
>   
>   PACKAGECONFIG ?="nss nscd autofs sudo infopipe"

Re: [yocto-patches] [meta-security,kirkstone][PATCH 3/5] sssd: fix issue if build machine is Debian

[akuster808]

On 6/26/24 9:39 AM, "Gaël PORTAY via lists.yoctoproject.org wrote:
> The configure script guesses the target system from the host if no
> --with-os= is set[1]. It is untrue if cross-compiling.
>
> The guessed host operating system is used then to do specific things
> fort target build.
>
> The commit[2] passes the downstream debian option --install-layout=deb
> to setup.py[3] if the host system is debian based, and thus, it raises
> the error attached below as that debian-specific option[4] is not part
> of the openembedded[5] world.
>
> This sets the Fedora operating system thanks to the existing configure
> option --with-os=fedora, that is relatively sain operating system for
> the needs of openembedded.

Won't this apply to master as well?

- armin
> Fixes:
>
> 	| (...)/build/tmp/work/aarch64-poky-linux/sssd/2.5.2-r0/build/src/config/setup.py:25: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
> 	|   from distutils.core import setup
> 	| usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
> 	|    or: setup.py --help [cmd1 cmd2 ...]
> 	|    or: setup.py --help-commands
> 	|    or: setup.py cmd --help
> 	|
> 	| error: option --install-layout not recognized
>
> Note: Upstream has introduced the "unknown" operating systemd with the
> upcoming version 2.10.0[6][7]. The change can be backported.
>
> [1]: https://github.com/SSSD/sssd/blob/2.5.2/src/external/platform.m4#L1-L31
> [2]: https://github.com/SSSD/sssd/commit/e6ae55d5423434d5dc6c236e8647b33610d30e2e
> [3]: https://github.com/SSSD/sssd/blob/2.5.2/Makefile.am#L32-L35
> [4]: https://sources.debian.org/patches/setuptools/68.1.2-2/install-layout.diff/#L7
> [5]: https://git.openembedded.org/openembedded-core/tree/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb?h=kirkstone
> [6]: https://github.com/SSSD/sssd/commit/7b32dc0ab877a9061b52868b8efe6866c3144b63
> [7]: https://github.com/SSSD/sssd/pull/7398
>
> Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
> ---
>   recipes-security/sssd/sssd_2.5.2.bb | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
> index 98a4b5e..9991667 100644
> --- a/recipes-security/sssd/sssd_2.5.2.bb
> +++ b/recipes-security/sssd/sssd_2.5.2.bb
> @@ -73,6 +73,7 @@ EXTRA_OECONF += " \
>       --without-secrets \
>       --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
>       --with-pid-path=/run \
> +    --with-os=fedora \
>   "
>   
>   do_configure:prepend() {

Re: [yocto-patches] [meta-security,kirkstone][PATCH 1/5] sssd: fix missing python3.X-config script

[akuster808]

On 6/26/24 9:39 AM, "Gaël PORTAY via lists.yoctoproject.org wrote:
> The configure script checks for the utility python3.X-config to be in
> $PATH; that script is shipped by the package python3-native.
>
> The recipe does not depend on the package python3-native which causes
> the task do_configure to fail.
>
> The recipe inherits from the bbclass python3-dir that does not install
> the required script to the sysroot. The bbclass python3native inherits
> from (the already inherited bbclass) python3-dir and it adds the missing
> dependency to python3-native.\

Does this apply to master?

- armin
>
> This fixes the configure error by "upgrading" the inherit bbclass from
> python3-dir to python3-native.
>
> Fixes:
>
> 	| checking for python3.10-config... no
> 	| configure: error:
> 	| The program python3.10-config was not found in search path.
> 	| Please ensure that it is installed and its directory is included in the search
> 	| path. If you want to build sssd without python3 bindings then specify
> 	| --without-python3-bindings when running configure.
> 	| NOTE: The following config.log files may provide further information.
>
> Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
> ---
>   recipes-security/sssd/sssd_2.5.2.bb | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
> index c07559c..fe82452 100644
> --- a/recipes-security/sssd/sssd_2.5.2.bb
> +++ b/recipes-security/sssd/sssd_2.5.2.bb
> @@ -33,7 +33,7 @@ CVE_CHECK_IGNORE += "\
>       CVE-2018-16838 \
>   "
>   
> -inherit autotools pkgconfig gettext python3-dir features_check systemd
> +inherit autotools pkgconfig gettext python3native features_check systemd
>   
>   REQUIRED_DISTRO_FEATURES = "pam"
>   

Re: [yocto-patches] [meta-security,kirkstone][PATCH 2/5] sssd: fix ac_cv_prog_HAVE_PYTHON3 value

[Gaël PORTAY]

Hello,

On Mon Jul 1, 2024 at 1:12 PM CEST, Armin Kuster via lists.yoctoproject.org wrote:
>
>
> On 6/26/24 9:39 AM, "Gaël PORTAY via lists.yoctoproject.org wrote:
> > The variable HAVE_PYTHON3 expects a boolean value[1] and the configure
> > script raises an error if the option --with-python3-bindings is set and
> > if the value HAVE_PYTHON3 is not "yes"[2].
> >
> > The recipe sets a non-boolean value to ac_cv_prog_HAVE_PYTHON3 and thus
> > causes the task do_configure to fail.
>
> Does this apply to master?
>

The change does not apply as is because of the context has changed a
bit: the line below has been modified since kirkstone.

> - armin
> >
> > This fixes the value set to ac_cv_prog_HAVE_PYTHON3 by setting it to yes
> > instead of $(PYTHON_DIR).
> >
> > Fixes:
> >
> > 	| checking for python3... (cached) python3.10
> > 	| configure: error:
> > 	| The program python3 was not found in search path.
> > 	| Please ensure that it is installed and its directory is included in the search
> > 	| path. It is required for building python3 bindings. If you do not want to build
> > 	| them please use argument --without-python3-bindings when running configure.
> > 	| NOTE: The following config.log files may provide further information.
> >
> > [1]: https://github.com/SSSD/sssd/blob/2.5.2/configure.ac#L323-L325
> > [2]: https://github.com/SSSD/sssd/blob/2.5.2/configure.ac#L353-L377
> >
> > Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
> > ---
> >   recipes-security/sssd/sssd_2.5.2.bb | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
> > index fe82452..98a4b5e 100644
> > --- a/recipes-security/sssd/sssd_2.5.2.bb
> > +++ b/recipes-security/sssd/sssd_2.5.2.bb
> > @@ -41,7 +41,7 @@ SSSD_UID ?= "root"
> >   SSSD_GID ?= "root"
> >   
> >   CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
> > -    ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
> > +    ac_cv_prog_HAVE_PYTHON3=yes \
> >       "
> >   
> >   PACKAGECONFIG ?="nss nscd autofs sudo infopipe"

The line is now:

	PACKAGECONFIG ?="nss autofs sudo infopipe"

>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#395): https://lists.yoctoproject.org/g/yocto-patches/message/395
> Mute This Topic: https://lists.yoctoproject.org/mt/106889412/8642966
> Group Owner: yocto-patches+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13404021/8642966/1905432541/xyzzy [gael.portay+yocto@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-

Regards,
Gaël

Here is the change (untested):

----- >8 ---------------------------------------------------------------

 .../networking-layer/recipes-security/sssd/sssd_2.9.2.bb        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
index 058d80d..2ab72ae 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
@@ -38,7 +38,7 @@ SSSD_UID ?= "root"
 SSSD_GID ?= "root"
 
 CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
-    ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
+    ac_cv_prog_HAVE_PYTHON3=yes \
     "
 
 PACKAGECONFIG ?="nss autofs sudo infopipe"

Re: [yocto-patches] [meta-security,kirkstone][PATCH 3/5] sssd: fix issue if build machine is Debian

[Gaël PORTAY]

Hello,

On Mon Jul 1, 2024 at 1:12 PM CEST, akuster808 wrote:
>
>
> On 6/26/24 9:39 AM, "Gaël PORTAY via lists.yoctoproject.org wrote:
> > The configure script guesses the target system from the host if no
> > --with-os= is set[1]. It is untrue if cross-compiling.
> >
> > The guessed host operating system is used then to do specific things
> > fort target build.
> >
> > The commit[2] passes the downstream debian option --install-layout=deb
> > to setup.py[3] if the host system is debian based, and thus, it raises
> > the error attached below as that debian-specific option[4] is not part
> > of the openembedded[5] world.
> >
> > This sets the Fedora operating system thanks to the existing configure
> > option --with-os=fedora, that is relatively sain operating system for
> > the needs of openembedded.
>
> Won't this apply to master as well?
>

The change does not apply as is because of the context has changed a
bit: the line aove has been modified since kirkstone.

> - armin
> > Fixes:
> >
> > 	| (...)/build/tmp/work/aarch64-poky-linux/sssd/2.5.2-r0/build/src/config/setup.py:25: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
> > 	|   from distutils.core import setup
> > 	| usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
> > 	|    or: setup.py --help [cmd1 cmd2 ...]
> > 	|    or: setup.py --help-commands
> > 	|    or: setup.py cmd --help
> > 	|
> > 	| error: option --install-layout not recognized
> >
> > Note: Upstream has introduced the "unknown" operating systemd with the
> > upcoming version 2.10.0[6][7]. The change can be backported.
> >
> > [1]: https://github.com/SSSD/sssd/blob/2.5.2/src/external/platform.m4#L1-L31
> > [2]: https://github.com/SSSD/sssd/commit/e6ae55d5423434d5dc6c236e8647b33610d30e2e
> > [3]: https://github.com/SSSD/sssd/blob/2.5.2/Makefile.am#L32-L35
> > [4]: https://sources.debian.org/patches/setuptools/68.1.2-2/install-layout.diff/#L7
> > [5]: https://git.openembedded.org/openembedded-core/tree/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb?h=kirkstone
> > [6]: https://github.com/SSSD/sssd/commit/7b32dc0ab877a9061b52868b8efe6866c3144b63
> > [7]: https://github.com/SSSD/sssd/pull/7398
> >
> > Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
> > ---
> >   recipes-security/sssd/sssd_2.5.2.bb | 1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
> > index 98a4b5e..9991667 100644
> > --- a/recipes-security/sssd/sssd_2.5.2.bb
> > +++ b/recipes-security/sssd/sssd_2.5.2.bb
> > @@ -73,6 +73,7 @@ EXTRA_OECONF += " \
> >       --without-secrets \

The line is now:

     --enable-pammoddir=${base_libdir}/security \

> >       --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
> >       --with-pid-path=/run \
> > +    --with-os=fedora \
> >   "
> >   
> >   do_configure:prepend() {

Regards,
Gaël

Here is the change (untested):

----- >8 ---------------------------------------------------------------

 .../networking-layer/recipes-security/sssd/sssd_2.9.2.bb         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
index 2ab72ae..cce6786 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
@@ -68,6 +68,7 @@ EXTRA_OECONF += " \
     --enable-pammoddir=${base_libdir}/security \
     --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
     --with-pid-path=/run \
+    --with-os=fedora \
 "

 do_configure:prepend() {

Re: [yocto-patches] [meta-security,kirkstone][PATCH 1/5] sssd: fix missing python3.X-config script

[Gaël PORTAY]

Hello,

On Mon Jul 1, 2024 at 1:14 PM CEST, akuster808 wrote:
>
>
> On 6/26/24 9:39 AM, "Gaël PORTAY via lists.yoctoproject.org wrote:
> > The configure script checks for the utility python3.X-config to be in
> > $PATH; that script is shipped by the package python3-native.
> >
> > The recipe does not depend on the package python3-native which causes
> > the task do_configure to fail.
> >
> > The recipe inherits from the bbclass python3-dir that does not install
> > the required script to the sysroot. The bbclass python3native inherits
> > from (the already inherited bbclass) python3-dir and it adds the missing
> > dependency to python3-native.\
>
> Does this apply to master?
>

The change does not apply as is because of the context has changed a
bit: the two lines above have been modified since kirkstone.

> - armin
> >
> > This fixes the configure error by "upgrading" the inherit bbclass from
> > python3-dir to python3-native.
> >
> > Fixes:
> >
> > 	| checking for python3.10-config... no
> > 	| configure: error:
> > 	| The program python3.10-config was not found in search path.
> > 	| Please ensure that it is installed and its directory is included in the search
> > 	| path. If you want to build sssd without python3 bindings then specify
> > 	| --without-python3-bindings when running configure.
> > 	| NOTE: The following config.log files may provide further information.
> >
> > Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
> > ---
> >   recipes-security/sssd/sssd_2.5.2.bb | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
> > index c07559c..fe82452 100644
> > --- a/recipes-security/sssd/sssd_2.5.2.bb
> > +++ b/recipes-security/sssd/sssd_2.5.2.bb
> > @@ -33,7 +33,7 @@ CVE_CHECK_IGNORE += "\
> >       CVE-2018-16838 \

The two lines are now:
 
 UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"

> >   "
> >   
> > -inherit autotools pkgconfig gettext python3-dir features_check systemd
> > +inherit autotools pkgconfig gettext python3native features_check systemd
> >   
> >   REQUIRED_DISTRO_FEATURES = "pam"
> >   

Regards,
Gaël

Here is the change (untested):

----- >8 ---------------------------------------------------------------

 .../networking-layer/recipes-security/sssd/sssd_2.9.2.bb        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
index 0c75d8f..058d80d 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
@@ -30,7 +30,7 @@ SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6

 UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"

-inherit autotools pkgconfig gettext python3-dir features_check systemd
+inherit autotools pkgconfig gettext python3native features_check systemd

 REQUIRED_DISTRO_FEATURES = "pam"

Re: [meta-security,kirkstone][PATCH 0/5] sssd: fix python3 support

[Gaël PORTAY]

Hello,

On Wed Jun 26, 2024 at 3:39 PM CEST, =?UTF-8?q?Ga=C3=ABl=20PORTAY?= wrote:
> Dear Maintainers,
>
> This patch series brings several fixes to enable the support for python3
> to the recipe sssd.
>
> I have tested the build on the branch kirkstone with following change to
> enable python3:
>
> 	PACKAGECONFIG:append:pn-sssd = " python3"
>
> The command below runs successfully since then, however, I have not
> tested it on scarthgap (yet?).
>
> 	$ bitbake sssd
>
> The patch series creates the new target package sssd-python; tell me if
> is not misnamed (thinking about python-sssd?) or if the python script
> and its modules should be part of the target package sssd instead.
>
> Also, tell me if you want me to apply these changes on top of master.
>
> Important: I am no expert in python packaging at all, so I have probably
> made not-the-right choices in the first commit! Sorry...
>
> Kind Regards,
> Gaël PORTAY (5):
>   sssd: fix missing python3.X-config script
>   sssd: fix ac_cv_prog_HAVE_PYTHON3 value
>   sssd: fix issue if build machine is Debian

Armin, do you want me to send these three changes on top of master, even
if they have not been tested on that branch?

>   sssd: fix shipping python script and modules
>   sssd: fix path to python3 interpreter

(that change "cleanly" applies I guess).

>
>  recipes-security/sssd/sssd_2.5.2.bb | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)

Regards,
Gaël

Re: [yocto-patches] [meta-security,kirkstone][PATCH 3/5] sssd: fix issue if build machine is Debian

[Gaël PORTAY]

Armin,

On Mon Jul 1, 2024 at 1:12 PM CEST, akuster808 wrote:
>
>
> On 6/26/24 9:39 AM, "Gaël PORTAY via lists.yoctoproject.org wrote:
> > The configure script guesses the target system from the host if no
> > --with-os= is set[1]. It is untrue if cross-compiling.
> >
> > The guessed host operating system is used then to do specific things
> > fort target build.
> >
> > The commit[2] passes the downstream debian option --install-layout=deb
> > to setup.py[3] if the host system is debian based, and thus, it raises
> > the error attached below as that debian-specific option[4] is not part
> > of the openembedded[5] world.
> >
> > This sets the Fedora operating system thanks to the existing configure
> > option --with-os=fedora, that is relatively sain operating system for
> > the needs of openembedded.
>
> Won't this apply to master as well?
>

The patch serie does not apply cleanly to master; I have fixed it.

But, there are additionnal fixes to add on master (not needed in
kirkstone).

I will send the patch (shortly?) once I have retested the whole thing.

> - armin

Regards,
Gaël