Re: [OE-core] [PATCH] python3-cryptography: workaround broken native functionality

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Mikko Rapeli <mikko.rapeli@linaro.org>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] python3-cryptography: workaround broken native functionality
Date: Wed, 14 Sep 2022 09:58:06 +0100	[thread overview]
Message-ID: <5ec5afd63da50d7bcd823275857dc0da4a2e9ae0.camel@linuxfoundation.org> (raw)
In-Reply-To: <CAJFpGrNM3sqj0o0L3CtNOtiLsq=++sbxun5eGXZHPN+A-oT3Zg@mail.gmail.com>

On Wed, 2022-09-14 at 11:09 +0300, Mikko Rapeli wrote:
> Hi,
> 
> Found the root cause. As suggested on #pyco too maybe native openssl
> was mising legacy support.
> It wasn't but loading the on purpose hidden openssl legacy.so was
> failing. It is located in
> recipe-sysroot-native/usr/lib/ossl-modules/legacy.so and only found
> via OPENSSL_MODULES
> variable which wasn't set for python3-native users. These custom
> variables are set in the native openssl
> wrapper script and this also fixes the not found openssl.cnf. Now I
> could send a patch which sets
> the OPENSSL_CONF, OPENSSL_ENGINES and OPENSSL_MODULES paths for python3
> users via python3native.bbclass:
> 
> --- a/meta/classes-recipe/python3native.bbclass
> +++ b/meta/classes-recipe/python3native.bbclass
> @@ -28,3 +28,10 @@ export PYTHONNOUSERSITE = "1"
> 
>  # autoconf macros will use their internal default preference otherwise
>  export PYTHON
> +
> +# find openssl under python, see openssl native wrapper
> +export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf"
> +export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs"
> +export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem"
> +export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3"
> +export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
> 
> but that is still a copy of those variables which openssl recipe owns,
> and other users of openssl may
> have similar issues. Is there a way to export these for everyone who
> depends directly or indirectly
> from openssl-native?

Thanks for finding the root cause, this definitely helps a lot.

I'm extremely reluctant to add global exports to the system, they have
nasty effects on sstate checksum files and add overhead I'd prefer not
to have.

I wondered if we could patch openssl to code/find the location of these
files relative to the main library? Presumably that code knows where
the library itself is located so searching a relative path from there
might be something upstream might consider? It is a generic approach
which would work for al the variables too.

It is a patch we'd probably consider carrying if necessary but if there
were upstream buyin, that would obviously be much better.

Cheers,

Richard

next prev parent reply	other threads:[~2022-09-14  8:58 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-13  9:34 [PATCH] python3-cryptography: workaround broken native functionality Mikko Rapeli
2022-09-13 10:01 ` [OE-core] " Richard Purdie
2022-09-13 10:29   ` Mikko Rapeli
2022-09-13 10:34     ` Richard Purdie
2022-09-13 11:13       ` Mikko Rapeli
2022-09-13 12:24         ` Richard Purdie
2022-09-14  8:09           ` Mikko Rapeli
2022-09-14  8:19             ` Alexander Kanavin
2022-09-14  8:43               ` Mikko Rapeli
2022-09-14  8:45                 ` Alexander Kanavin
2022-09-14  8:51                   ` Mikko Rapeli
2022-09-14  8:52                     ` Alexander Kanavin
2022-09-14  8:58             ` Richard Purdie [this message]
2022-09-15 11:17             ` Ross Burton
2022-09-15 11:26               ` Mikko Rapeli
2022-09-15 11:36                 ` Martin Jansa
2022-09-20 10:20                   ` Mikko Rapeli
2022-09-20 11:35                     ` Richard Purdie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5ec5afd63da50d7bcd823275857dc0da4a2e9ae0.camel@linuxfoundation.org \
    --to=richard.purdie@linuxfoundation.org \
    --cc=mikko.rapeli@linaro.org \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox