Re: [Buildroot] [PATCH 3/4] package/openscap: add openscap package

["Alexis Lothoré via buildroot" <buildroot@buildroot.org>]

On Wed Jul 30, 2025 at 7:02 PM CEST, Thomas Petazzoni via buildroot wrote:
> Hello Alexis,

[...]

>> +		      -DENABLE_OSCAP_UTIL=ON \
>> +		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
>> +		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
>> +		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
>> +		      -DENABLE_OSCAP_UTIL_VM=OFF \
>> +		      -DENABLE_PROBES_WINDOWS=OFF \
>> +		      -DENABLE_TESTS=OFF \
>> +		      -DWITH_CRYPTO=gcrypt \
>> +		      -DENABLE_PYTHON3=ON
>
> Only one tab for the indentation.
>
> Questions:
>
> - You're using WITH_CRYPTO=gcrypt, but you also select
>   BR2_PACKAGE_OPENSSL. You need both?

So from the CMakeLists.txt:

find_package(OpenSSL REQUIRED)
[...]
# WITH_CRYPTO
set(WITH_CRYPTO "gcrypt" CACHE STRING "gcrypt|nss")
if(${WITH_CRYPTO} STREQUAL "nss")
        message("-- Using NSS")
        find_package(NSS)
else()
        message("-- Using GCrypt")
        find_package(GCrypt)
endif()
if(GCRYPT_FOUND OR NSS_FOUND)
        set(CRYPTO_FOUND TRUE)
endif()

it looks like gcrypt/nss is not mandatory. But if I try to configure and
run a build in an environment without libgcrypt, I got same late linkage
error, about some missing crapi_init (no, I am not making this function's
name up...) being missing. It appears that there are code paths
preprocessed conditionnaly on either libgcrypt or nss presence, without any
fallback if none is found. I am not sure if I am facing some optional
dependencies that are not "optional enough" in the code base, or some hard
dpendencies that are not sufficiently enforced in the cmake files. But in
the project current state, the software does not build without libgcrypt.

If I take a further look at the dev doc
(https://github.com/OpenSCAP/openscap/blob/main/docs/developer/developer.adoc),
it seems to hint that libgcrypt is actually needed in any case.

I'll remove the WITH_CRYPTO=gcrypt though, as it is the default value in
CMakeLists.txt.

> - You're setting ENABLE_PYTHON3=ON, but your target package does not
>   depend on host-python3 nor python3 in terms of build dependency.
>   Could you clarify what this ENABLE_PYTHON3 option does?

That's an omission on my side. This ENABLE_PYTHON3 allows building some
bindings (to write some python automation tools based on openscap ?) if the
interpreter is found. I'll remove it.

>> +
>> +HOST_OPENSCAP_CONF_OPTS = \
>> +		      -DENABLE_OSCAP_UTIL=ON \
>> +		      -DENABLE_OSCAP_UTIL_DOCKER=OFF \
>> +		      -DENABLE_OSCAP_UTIL_CHROOT=OFF \
>> +		      -DENABLE_OSCAP_UTIL_PODMAN=OFF \
>> +		      -DENABLE_OSCAP_UTIL_VM=OFF \
>> +		      -DENABLE_PROBES_WINDOWS=OFF \
>> +		      -DENABLE_TESTS=OFF \
>> +		      -DWITH_CRYPTO=gcrypt \
>> +		      -DENABLE_PYTHON3=ON
>> +
>> +ifeq ($(BR2_PACKAGE_ACL),y)
>> +OPENSCAP_DEPENDENCIES += acl
>> +endif
>
> No explicit option to enable/disable ACL support?

Unfortunately no, this is searched unconditionally:

find_package(ACL)
if(ACL_FOUND)
        check_library_exists("${ACL_LIBRARY}" acl_extended_file "" HAVE_ACL_EXTENDED_FILE)
        check_include_file(acl/libacl.h HAVE_ACL_LIBACL_H)
        check_include_file(sys/acl.h HAVE_SYS_ACL_H)
endif()

>> +
>> +ifeq ($(BR2_PACKAGE_LIBCAP),y)
>> +OPENSCAP_DEPENDENCIES += libcap
>> +endif
>
> Same question.

Ditto

Alexis

-- 
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot