[Buildroot] [PATCH 1/1] package/libselinux: host-python3 needs SSL support

[Buildroot] [PATCH 1/1] package/libselinux: host-python3 needs SSL support

[Bernd Kuhls]

Buildroot commit 285097051d4a7dd821f01d15c705867f7e26c635 bumped
python-pip to version 25.3, causing build errors when host-python3 was
built without SSL support:

  WARNING: pip is configured with locations that require TLS/SSL,
   however the ssl module in Python is not available.
[...]
  Could not fetch URL https://pypi.org/simple/setuptools/:
   There was a problem confirming the ssl certificate:
   HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded
   with url: /simple/setuptools/ (Caused by SSLError("Can't connect to
   HTTPS URL because the SSL module is not available.")) - skipping
  ERROR: Could not find a version that satisfies the requirement setuptools>=40.8.0 (from versions: none)

Reverting the python-pip bump reveals the true cause of the build error
by showing these messages:

  WARNING: pip is configured with locations that require TLS/SSL,
   however the ssl module in Python is not available.
[...]
  DEPRECATION: Building 'selinux' using the legacy setup.py bdist_wheel
  mechanism, which will be removed in a future version. pip 25.3 will
  enforce this behaviour change. A possible replacement is to use the
  standardized build interface by setting the `--use-pep517` option,
  (possibly combined with `--no-build-isolation`), or adding a
  `pyproject.toml` file to the source tree of 'selinux'.
  Discussion can be found at https://github.com/pypa/pip/issues/6334

Selecting BR2_PACKAGE_HOST_PYTHON3_SSL fixes the problem.

Criu, the only other buildroot package using host-python-pip as
dependency, already selects BR2_PACKAGE_HOST_PYTHON3_SSL.

Fixes:
https://autobuild.buildroot.net/results/fd6/fd6d3edd5f74d094621ac9fdb93db24520b7a6e3/

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 package/libselinux/Config.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
index bc40e32a46..db5694e7bd 100644
--- a/package/libselinux/Config.in
+++ b/package/libselinux/Config.in
@@ -7,6 +7,7 @@ config BR2_PACKAGE_LIBSELINUX
 	select BR2_PACKAGE_PCRE2
 	select BR2_PACKAGE_MUSL_FTS if !BR2_TOOLCHAIN_USES_GLIBC
 	select BR2_PACKAGE_PYTHON_SETUPTOOLS if BR2_PACKAGE_PYTHON3
+	select BR2_PACKAGE_HOST_PYTHON3_SSL if BR2_PACKAGE_PYTHON3
 	help
 	  libselinux is the runtime SELinux library that provides
 	  interfaces (e.g. library functions for the SELinux kernel
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libselinux: host-python3 needs SSL support

[Julien Olivain via buildroot]

Hi Bernd,

On 17/12/2025 19:48, Bernd Kuhls wrote:
> Buildroot commit 285097051d4a7dd821f01d15c705867f7e26c635 bumped
> python-pip to version 25.3, causing build errors when host-python3 was
> built without SSL support:
> 
>   WARNING: pip is configured with locations that require TLS/SSL,
>    however the ssl module in Python is not available.
> [...]
>   Could not fetch URL https://pypi.org/simple/setuptools/:
>    There was a problem confirming the ssl certificate:
>    HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded
>    with url: /simple/setuptools/ (Caused by SSLError("Can't connect to
>    HTTPS URL because the SSL module is not available.")) - skipping
>   ERROR: Could not find a version that satisfies the requirement 
> setuptools>=40.8.0 (from versions: none)
> 
> Reverting the python-pip bump reveals the true cause of the build error
> by showing these messages:
> 
>   WARNING: pip is configured with locations that require TLS/SSL,
>    however the ssl module in Python is not available.
> [...]
>   DEPRECATION: Building 'selinux' using the legacy setup.py bdist_wheel
>   mechanism, which will be removed in a future version. pip 25.3 will
>   enforce this behaviour change. A possible replacement is to use the
>   standardized build interface by setting the `--use-pep517` option,
>   (possibly combined with `--no-build-isolation`), or adding a
>   `pyproject.toml` file to the source tree of 'selinux'.
>   Discussion can be found at https://github.com/pypa/pip/issues/6334
> 
> Selecting BR2_PACKAGE_HOST_PYTHON3_SSL fixes the problem.
> 
> Criu, the only other buildroot package using host-python-pip as
> dependency, already selects BR2_PACKAGE_HOST_PYTHON3_SSL.
> 
> Fixes:
> https://autobuild.buildroot.net/results/fd6/fd6d3edd5f74d094621ac9fdb93db24520b7a6e3/
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Hi Bernd,

While testing this patch, I observed two new new kind of build
errors. Those were reported in autobuilder. See for example:

https://autobuild.buildroot.org/results/953/953b8c6d7da0f150ec56760c4a3191e630c01381/build-end.log
https://autobuild.buildroot.org/results/a9b/a9bc288de3abefaa11f10d8ea93f425eff26ac71/build-end.log

It is possible those are related to the recent python
package updates.

The libselinux package might have a missing dependency
on host-python-setuptools.

Also I've seen that in libselinux.mk, $(PKG_PYTHON_SETUPTOOLS_ENV)
is passed to _MAKE_OPTS rather than _MAKE_ENV. Changing that worked
around those issues while testing.

You can reproduce those issues with the commands:

cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_LIBSELINUX=y
EOF
make olddefconfig
make libselinux

Since this SSL support in host-python3 is needed anyway, I applied
this patch to master, thanks.

Could you have a look the other issues, please? At the moment, 
libselinux is
the biggest source of build failures:
https://lore.kernel.org/buildroot/694774fb.050a0220.99314.d33b@mx.google.com/T/#u

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libselinux: host-python3 needs SSL support

[Thomas Petazzoni via buildroot]

Hello Bernd,

On Wed, 17 Dec 2025 19:48:22 +0100
Bernd Kuhls <bernd@kuhls.net> wrote:

>   WARNING: pip is configured with locations that require TLS/SSL,
>    however the ssl module in Python is not available.
> [...]
>   Could not fetch URL https://pypi.org/simple/setuptools/:
>    There was a problem confirming the ssl certificate:
>    HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded
>    with url: /simple/setuptools/ (Caused by SSLError("Can't connect to
>    HTTPS URL because the SSL module is not available.")) - skipping
>   ERROR: Could not find a version that satisfies the requirement setuptools>=40.8.0 (from versions: none)

This should be a very strong red flag. Why is the build process of
libselinux even trying to connect to the network to download stuff? It
definitely should not, as everything should be downloaded by Buildroot.
Packages are not allowed to download random stuff.

> +	select BR2_PACKAGE_HOST_PYTHON3_SSL if BR2_PACKAGE_PYTHON3

This doesn't work as it doesn't make sense: it is perfectly possible
for host-libselinux to be built, which will build host-python-pip,
without BR2_PACKAGE_PYTHON3=y.

See the build failures that continue to pop up:

  https://autobuild.buildroot.net/?reason=host-libselinux%

For example:

  https://autobuild.buildroot.net/results/0e9/0e9de0c0d8b6ec57eea9f8834f02076b296ba4f1/config

has:

  # BR2_PACKAGE_PYTHON3 is not set

So your patch has no effect to fix the issue.

The solution is clearly not to add SSL support in Python. The solution
is to make sure libselinux doesn't use pip to connect over the network.

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libselinux: host-python3 needs SSL support

[Thomas Petazzoni via buildroot]

Hello Bernd,

On Wed, 17 Dec 2025 19:48:22 +0100
Bernd Kuhls <bernd@kuhls.net> wrote:

> Buildroot commit 285097051d4a7dd821f01d15c705867f7e26c635 bumped
> python-pip to version 25.3, causing build errors when host-python3 was
> built without SSL support:

Following my previous report, I ended up reverting this patch, as it is
incorrect, and in fact not needed. Instead, I committed your
"package/libselinux: fix Python build errors" after doing a small fix
that makes it also work for host-libselinux.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot