* [Buildroot] [PATCH] package/openssh: fix dependencies with refpolicy
@ 2024-02-25 9:24 Yann E. MORIN
2024-02-28 11:25 ` Peter Korsgaard
2024-03-18 11:43 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Yann E. MORIN @ 2024-02-25 9:24 UTC (permalink / raw)
To: buildroot; +Cc: Adam Duskett, Yann E. MORIN, Thomas Petazzoni, Fabrice Fontaine
Commit 2c5a82a29ceb (package/openssh: select linux-pam if refpolicy
upstream is selected) did not account for the linux-pam dependencies
before selecting it, causing unmet dependencies warnings (unfortunately,
not errors), such as:
$ KCONFIG_SEED=0xCF227CF4 make randconfig
WARNING: unmet direct dependencies detected for BR2_PACKAGE_LINUX_PAM
Depends on [n]: BR2_ENABLE_LOCALE [=n] && BR2_USE_WCHAR [=n] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 [=y]
Selected by [y]:
- BR2_PACKAGE_OPENSSH [=y] && BR2_USE_MMU [=y] && BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION [=y]
2c5a82a29ceb made the choice of having openssl bear the responsibility
to select linux-pam when the upstream refpolicy version was enabled.
Semantically however, the responsibility really lies within refpolicy
itself, since that's what imposes linux-pam to openssh.
Move the select to refpolicy and drop it from openssh. Then, ensure that
linux-pam is only selected when it is available.
That means that one may get an openssh that is not linked against
linux-pam, when the linux-pam dependencies are not met; refpolicy (by
way of libsepol) also has a more stringent requirement on gcc version
than linux-pam, so most probably the missing dependencies would be
locale, wchar, or a static build. We consider that situation to be a
corner case that we do not want to address.
In the future, we may have more similar situations, whereby refpolicy
would impose other packages be linked with otherwise optional
dependencies. If (when) that were (will be) the case, then the proposed
mechanism would quickly become ugly; we could then re-assess a nicer way
to do that. Until then, this is good ebough.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <adam.duskett@amarulasolutions.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Changes v1 -> v2:
- simplify the logic: have refpolicy bear the select
---
package/openssh/Config.in | 1 -
package/refpolicy/Config.in | 8 ++++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/package/openssh/Config.in b/package/openssh/Config.in
index a3038ba01f..08d3c7d391 100644
--- a/package/openssh/Config.in
+++ b/package/openssh/Config.in
@@ -1,7 +1,6 @@
config BR2_PACKAGE_OPENSSH
bool "openssh"
depends on BR2_USE_MMU # fork()
- select BR2_PACKAGE_LINUX_PAM if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
select BR2_PACKAGE_OPENSSL
select BR2_PACKAGE_ZLIB
help
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index 0e72b895df..8ae8f0448d 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -36,6 +36,14 @@ choice
config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
bool "Upstream version"
+ # Consider reworking the following when adding new entries:
+ # Upstream refpolicy for openssh expects linux-pam to be used
+ select BR2_PACKAGE_LINUX_PAM if BR2_PACKAGE_OPENSSH \
+ && BR2_USE_MMU \
+ && BR2_ENABLE_LOCALE \
+ && BR2_USE_WCHAR \
+ && !BR2_STATIC_LIBS \
+ && BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
help
Use the refpolicy as provided by Buildroot.
--
2.43.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [Buildroot] [PATCH] package/openssh: fix dependencies with refpolicy
2024-02-25 9:24 [Buildroot] [PATCH] package/openssh: fix dependencies with refpolicy Yann E. MORIN
@ 2024-02-28 11:25 ` Peter Korsgaard
2024-03-18 11:43 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-02-28 11:25 UTC (permalink / raw)
To: Yann E. MORIN; +Cc: Adam Duskett, Fabrice Fontaine, Thomas Petazzoni, buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> Commit 2c5a82a29ceb (package/openssh: select linux-pam if refpolicy
> upstream is selected) did not account for the linux-pam dependencies
> before selecting it, causing unmet dependencies warnings (unfortunately,
> not errors), such as:
> $ KCONFIG_SEED=0xCF227CF4 make randconfig
> WARNING: unmet direct dependencies detected for BR2_PACKAGE_LINUX_PAM
> Depends on [n]: BR2_ENABLE_LOCALE [=n] && BR2_USE_WCHAR [=n] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 [=y]
> Selected by [y]:
> - BR2_PACKAGE_OPENSSH [=y] && BR2_USE_MMU [=y] && BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION [=y]
> 2c5a82a29ceb made the choice of having openssl bear the responsibility
> to select linux-pam when the upstream refpolicy version was enabled.
> Semantically however, the responsibility really lies within refpolicy
> itself, since that's what imposes linux-pam to openssh.
> Move the select to refpolicy and drop it from openssh. Then, ensure that
> linux-pam is only selected when it is available.
> That means that one may get an openssh that is not linked against
> linux-pam, when the linux-pam dependencies are not met; refpolicy (by
> way of libsepol) also has a more stringent requirement on gcc version
> than linux-pam, so most probably the missing dependencies would be
> locale, wchar, or a static build. We consider that situation to be a
> corner case that we do not want to address.
> In the future, we may have more similar situations, whereby refpolicy
> would impose other packages be linked with otherwise optional
> dependencies. If (when) that were (will be) the case, then the proposed
> mechanism would quickly become ugly; we could then re-assess a nicer way
> to do that. Until then, this is good ebough.
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
> Cc: Adam Duskett <adam.duskett@amarulasolutions.com>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - simplify the logic: have refpolicy bear the select
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/openssh: fix dependencies with refpolicy
2024-02-25 9:24 [Buildroot] [PATCH] package/openssh: fix dependencies with refpolicy Yann E. MORIN
2024-02-28 11:25 ` Peter Korsgaard
@ 2024-03-18 11:43 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-03-18 11:43 UTC (permalink / raw)
To: Yann E. MORIN; +Cc: Adam Duskett, Fabrice Fontaine, Thomas Petazzoni, buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> Commit 2c5a82a29ceb (package/openssh: select linux-pam if refpolicy
> upstream is selected) did not account for the linux-pam dependencies
> before selecting it, causing unmet dependencies warnings (unfortunately,
> not errors), such as:
> $ KCONFIG_SEED=0xCF227CF4 make randconfig
> WARNING: unmet direct dependencies detected for BR2_PACKAGE_LINUX_PAM
> Depends on [n]: BR2_ENABLE_LOCALE [=n] && BR2_USE_WCHAR [=n] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 [=y]
> Selected by [y]:
> - BR2_PACKAGE_OPENSSH [=y] && BR2_USE_MMU [=y] && BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION [=y]
> 2c5a82a29ceb made the choice of having openssl bear the responsibility
> to select linux-pam when the upstream refpolicy version was enabled.
> Semantically however, the responsibility really lies within refpolicy
> itself, since that's what imposes linux-pam to openssh.
> Move the select to refpolicy and drop it from openssh. Then, ensure that
> linux-pam is only selected when it is available.
> That means that one may get an openssh that is not linked against
> linux-pam, when the linux-pam dependencies are not met; refpolicy (by
> way of libsepol) also has a more stringent requirement on gcc version
> than linux-pam, so most probably the missing dependencies would be
> locale, wchar, or a static build. We consider that situation to be a
> corner case that we do not want to address.
> In the future, we may have more similar situations, whereby refpolicy
> would impose other packages be linked with otherwise optional
> dependencies. If (when) that were (will be) the case, then the proposed
> mechanism would quickly become ugly; we could then re-assess a nicer way
> to do that. Until then, this is good ebough.
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
> Cc: Adam Duskett <adam.duskett@amarulasolutions.com>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - simplify the logic: have refpolicy bear the select
Committed to 2023.02.x and 2023.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-03-18 11:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-25 9:24 [Buildroot] [PATCH] package/openssh: fix dependencies with refpolicy Yann E. MORIN
2024-02-28 11:25 ` Peter Korsgaard
2024-03-18 11:43 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox