Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: "Alexis Lothoré" <alexis.lothore@bootlin.com>
Cc: tim.hammer@nav-timing.safrangroup.com,
	nicolas.carrier@nav-timing.safrangroup.com,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 4/4] package/compliance-as-code: add new package
Date: Wed, 30 Jul 2025 19:18:34 +0200	[thread overview]
Message-ID: <20250730191834.6bc7f097@windsurf> (raw)
In-Reply-To: <20250730-openscap-v1-4-46e4a32e26da@bootlin.com>

Hello Alexis,

Thanks for this patch (again!). Some comments below.

On Wed, 30 Jul 2025 14:47:16 +0200
Alexis Lothoré <alexis.lothore@bootlin.com> wrote:

> Introduce the Compliance As Code package. This project provides data
> files consumed by the openscap tool to evaluate a host compliance in
> regard with security policies. The package depends on both host-openscap
> (needed at build time to process the input files into usable files) and
> openscap (needed on the target, will use the generated files to evaluate
> the system configuration)
> 
> The project is based on cmake, but it also exposes a wrapper script
> (build_product). The package uses the cmake build system, but exposes a
> few Kconfig options to replicate some of the build_product options:
> - BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY: replicates the -d
>   option, building only the datastream files instead of all the files
> - BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS: allow selecting the
>   product(s) for which we want to generate policies files.
> 
> The default install target provided by the project expects a full build,
> and so it will try to generate all the files for all the products when
> executed (which cancels the benefit of being able to select only a
> single or a few products), so the package defines a custom install
> command.

Very nice commit message. Perhaps too nice as it makes me think: what
about a support/testing/ test case for this package?

Commit title should be:

	package/compliance-as-code: new package

> Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
> ---
>  package/Config.in                                  |  1 +
>  package/compliance-as-code/Config.in               | 35 ++++++++++++++++++++++
>  package/compliance-as-code/compliance-as-code.hash |  5 ++++
>  package/compliance-as-code/compliance-as-code.mk   | 34 +++++++++++++++++++++
>  4 files changed, 75 insertions(+)

Entry in the DEVELOPERS file.


> diff --git a/package/compliance-as-code/Config.in b/package/compliance-as-code/Config.in
> new file mode 100644
> index 0000000000000000000000000000000000000000..402bf2ba8610808f4d536f5d102348a879fb4d5d
> --- /dev/null
> +++ b/package/compliance-as-code/Config.in
> @@ -0,0 +1,35 @@
> +config BR2_PACKAGE_COMPLIANCE_AS_CODE
> +	bool "compliance-as-code"
> +	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # openscap
> +	depends on !BR2_STATIC_LIBS # dlfcn.h

I guess this comes also from openscap, so the comment should also be
# openscap

> +	select BR2_PACKAGE_HOST_OPENSCAP

Not needed, this option does not exists.

> +	select BR2_PACKAGE_OPENSCAP
> +	select BR2_PACKAGE_HOST_PYTHON

This option does not exist, and it's not necessary to select
BR2_PACKAGE_HOST_PYTHON3.

> +	select BR2_PACKAGE_HOST_PYTHON_PYAML

This option does not exist, it's BR2_PACKAGE_HOST_PYTHON_PYYAML, but
selecting it is not needed.

> +	select BR2_PACKAGE_HOST_PYTHON_JINJA2

This option does not exist.

> +	select BR2_PACKAGE_HOST_LIBXSLT

This option does not exist.

> +	select BR2_PACKAGE_HOST_LIBXML2

This option does not exist.

Basically, you almost never need to select the option of host packages.
The only case is if you need a sub-option of a host package, like
BR2_PACKAGE_HOST_PYTHON3_BZIP2 for example.

> diff --git a/package/compliance-as-code/compliance-as-code.hash b/package/compliance-as-code/compliance-as-code.hash
> new file mode 100644
> index 0000000000000000000000000000000000000000..7b100dc4be54126a4c8f1f84b918d26196cc0d7d
> --- /dev/null
> +++ b/package/compliance-as-code/compliance-as-code.hash
> @@ -0,0 +1,5 @@
> +
> +# Locally calculated
> +sha256  bb79e996035a1d985c49e5df8988a5d5f2310f5b3b5d49492f95a6845db00f43  compliance-as-code-0.1.77.tar.gz
> +# Locally calculated
> +sha256  ade633d5db670a58ff5f735c3602caafc72657a516416969fff79ff8a0c10298  LICENSE
> diff --git a/package/compliance-as-code/compliance-as-code.mk b/package/compliance-as-code/compliance-as-code.mk
> new file mode 100644
> index 0000000000000000000000000000000000000000..dc273403c52371753bb6076c7b0b381d5958749f
> --- /dev/null
> +++ b/package/compliance-as-code/compliance-as-code.mk
> @@ -0,0 +1,34 @@
> +################################################################################
> +#
> +# Compliance As Code
> +#
> +################################################################################
> +
> +COMPLIANCE_AS_CODE_VERSION = 0.1.77
> +COMPLIANCE_AS_CODE_SITE = $(call github,ComplianceAsCode,content,v$(COMPLIANCE_AS_CODE_VERSION))
> +COMPLIANCE_AS_CODE_LICENSE = BSD-3-Clause
> +COMPLIANCE_AS_CODE_LICENSE_FILES = LICENSE
> +COMPLIANCE_AS_CODE_REDISTRIBUTE = NO

Why? If it's BSD-3-Clause.

> +COMPLIANCE_AS_CODE_DEPENDENCIES = \
> +	host-python3 \
> +	host-openscap \
> +	openscap \
> +	host-python-jinja2 \
> +	host-python-pyyaml \
> +	host-libxslt \
> +	host-libxml2

I assume you verified all those host dependencies are actually needed?

> +
> +COMPLIANCE_AS_CODE_CONF_ENV = OPENSCAP_ROOT_DIR=$(HOST_DIR)
> +COMPLIANCE_AS_CODE_SUPPORTS_IN_SOURCE_BUILD = NO
> +COMPLIANCE_AS_CODE_MAKE_OPTS = \
> +	$(foreach p,\
> +	$(call qstrip,$(BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS)),\
> +	$(if $(BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY), generate-ssg-$(p)-ds.xml, $(p)))

How does that work when
BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y and
BR2_PACKAGE_COMPLIANCE_AS_CODE_PRODUCTS is empty? This will lead to
COMPLIANCE_AS_CODE_MAKE_OPTS being empty, so I don't see how the build
can differentiate BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY=y vs.
BR2_PACKAGE_COMPLIANCE_AS_CODE_DATASTREAM_ONLY disabled.

> +define COMPLIANCE_AS_CODE_INSTALL_TARGET_CMDS
> +	mkdir -p $(TARGET_DIR)/etc/openscap
> +	rsync -a $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/

We often use:

	cp -dpfr $(@D)/buildroot-build/*.xml $(TARGET_DIR)/etc/openscap/

for this kind of situation.

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

  reply	other threads:[~2025-07-30 17:18 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-30 12:47 [Buildroot] [PATCH 0/4] package/compliance-as-code: introduce new package Alexis Lothoré via buildroot
2025-07-30 12:47 ` [Buildroot] [PATCH 1/4] package/libxmlsec1: Add libxmlsec1 used by openSCAP Alexis Lothoré via buildroot
2025-07-30 16:53   ` Thomas Petazzoni via buildroot
2025-07-30 17:18     ` Alexis Lothoré via buildroot
2025-07-30 12:47 ` [Buildroot] [PATCH 2/4] package/libcurl: Reapply "libcurl: add host variant" Alexis Lothoré via buildroot
2025-07-30 16:55   ` Thomas Petazzoni via buildroot
2025-07-30 12:47 ` [Buildroot] [PATCH 3/4] package/openscap: add openscap package Alexis Lothoré via buildroot
2025-07-30 17:02   ` Thomas Petazzoni via buildroot
2025-07-31 12:34     ` Alexis Lothoré via buildroot
2025-07-31 12:48       ` Thomas Petazzoni via buildroot
2025-07-31 13:14         ` Alexis Lothoré via buildroot
2025-07-31 14:39           ` Thomas Petazzoni via buildroot
2025-07-30 12:47 ` [Buildroot] [PATCH 4/4] package/compliance-as-code: add new package Alexis Lothoré via buildroot
2025-07-30 17:18   ` Thomas Petazzoni via buildroot [this message]
2025-07-30 18:09     ` Alexis Lothoré via buildroot
2025-07-30 19:29       ` Thomas Petazzoni via buildroot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250730191834.6bc7f097@windsurf \
    --to=buildroot@buildroot.org \
    --cc=alexis.lothore@bootlin.com \
    --cc=nicolas.carrier@nav-timing.safrangroup.com \
    --cc=thomas.petazzoni@bootlin.com \
    --cc=tim.hammer@nav-timing.safrangroup.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox