From: "Böszörményi Zoltán" <zboszor@gmail.com>
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>,
Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>,
openembedded-core@lists.openembedded.org,
Randy MacLeod <randy.macleod@windriver.com>,
Khem Raj <raj.khem@gmail.com>
Subject: Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe
Date: Thu, 13 Feb 2025 16:27:00 +0100 [thread overview]
Message-ID: <8f8bc643-200a-4683-ab8b-bdec41cb285b@gmail.com> (raw)
In-Reply-To: <CANNYZj_-7X7bbXwX0hcj68R7z7YqaFQ=5gwZKE3dQiGpubaMqg@mail.gmail.com>
2025. 02. 13. 16:16 keltezéssel, Alexander Kanavin írta:
> Generally it's best to resend the whole patchset, as sending
> individual follow up patches doesn't scale for maintainers, they can
> easily lose track of how to combine everything into a non-broken set
> of commits if many people start sending partial patches at the same
> time.
Got it. I re-sent the whole series with this small fix included.
>
> Alex
>
> On Thu, 13 Feb 2025 at 16:14, Böszörményi Zoltán <zboszor@gmail.com> wrote:
>> 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
>>> On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
>>>> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
>>>> lists.openembedded.org írta:
>>>>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>>>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>>>>> This ships a crypto policy file for rpm-sequoia.
>>>>>>>
>>>>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>>>>> ---
>>>>>> Hi Zoltán,
>>>>>>
>>>>>> I believe we have a new issue with this version:
>>>>>>
>>>>>>> python/build-crypto-policies.py --reloadcmds policies output
>>>>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
>>>>>>> pubkeyacceptedalgorithms
>>>>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
>>>>>>> hostbasedacceptedalgorithms
>>>>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
>>>>>>> requiredrsasize
>>>>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>>>>>> There is an error in OpenSSH server generated policy
>>>>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>>>>>>
>>>>>>
>>>>>>
>>>>>> Can you have a look at this error please?
>>>>> I tested the recipe on Fedora 41 with:
>>>>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>>>>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>>>>
>>>>> Both worked.
>>>>>
>>>>> Some of your build hosts where nss was not installed complained
>>>>> about executing nss-policy-check unconditionally, which is now
>>>>> fixed.
>>>>>
>>>>> I think this is on a build host with a very old nss version
>>>>> installed.
>>>>> Can you uninstall it?
>>>> I found an alternative solution but it involves patching out
>>>> most of the policy generators:
>>>>
>>>> ================================================
>>>> $ git diff python/policygenerators/__init__.py
>>>> diff --git a/python/policygenerators/__init__.py
>>>> b/python/policygenerators/__init__.py
>>>> index 0e3013e..180fb2a 100644
>>>> --- a/python/policygenerators/__init__.py
>>>> +++ b/python/policygenerators/__init__.py
>>>> @@ -3,34 +3,8 @@
>>>> # Copyright (c) 2019 Red Hat, Inc.
>>>> # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
>>>>
>>>> -from .bind import BindGenerator
>>>> -from .gnutls import GnuTLSGenerator
>>>> -from .java import JavaGenerator
>>>> -from .krb5 import KRB5Generator
>>>> -from .libreswan import LibreswanGenerator
>>>> -from .libssh import LibsshGenerator
>>>> -from .nss import NSSGenerator
>>>> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
>>>> -from .openssl import (
>>>> - OpenSSLConfigGenerator,
>>>> - OpenSSLFIPSGenerator,
>>>> - OpenSSLGenerator,
>>>> -)
>>>> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
>>>> +from .sequoia import RPMSequoiaGenerator
>>>>
>>>> __all__ = [
>>>> - 'BindGenerator',
>>>> - 'GnuTLSGenerator',
>>>> - 'JavaGenerator',
>>>> - 'KRB5Generator',
>>>> - 'LibreswanGenerator',
>>>> - 'LibsshGenerator',
>>>> - 'NSSGenerator',
>>>> - 'OpenSSHClientGenerator',
>>>> - 'OpenSSHServerGenerator',
>>>> - 'OpenSSLConfigGenerator',
>>>> - 'OpenSSLFIPSGenerator',
>>>> - 'OpenSSLGenerator',
>>>> 'RPMSequoiaGenerator',
>>>> - 'SequoiaGenerator',
>>>> ]
>>>> ================================================
>>>>
>>>> That should work with this old nss version according to
>>>> the log.do_compile output.
>>>>
>>>> I can't see an easy way to make these imports and list conditional,
>>>> so the patch would be "Upstream-Status: Inappropriate".
>>>>
>>>> Since it should only happen for the native build, the patch can be
>>>>
>>>> SRC_URI:append:class-native = "..."
>>>>
>>>> As far as I know, /usr/bin is filtered from target builds but not
>>>> from native builds.
>>> We only allow access to things from HOSTTOOLS, nothing else is meant to
>>> be used, even for native builds.
>> As I wrote, I misdiagnosed it. There's no problem with nss-policy-check.
>>
>> Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
>> Because the test_config() class method only fails for openssh and opensshserver.
>> They can be ignored with an envvar.
>>
next prev parent reply other threads:[~2025-02-13 15:27 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-12 4:35 [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe Zoltán Böszörményi
2025-02-12 4:35 ` [OE-core][PATCH v12 2/5] rpm-sequoia: New recipe for version 1.7.0 Zoltán Böszörményi
2025-02-12 4:35 ` [OE-core][PATCH v12 3/5] rpm: Set SEQUOIA_CRYPTO_POLICY in wrapped tools Zoltán Böszörményi
2025-02-12 4:35 ` [OE-core][PATCH v12 4/5] dnf: " Zoltán Böszörményi
2025-02-12 4:35 ` [OE-core][PATCH v12 5/5] oeqa/selftest/cases/signing.py: Re-enable self-test Zoltán Böszörményi
2025-02-13 13:36 ` [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe Mathieu Dubois-Briand
2025-02-13 14:20 ` Böszörményi Zoltán
2025-02-13 14:32 ` Richard Purdie
2025-02-13 14:40 ` Böszörményi Zoltán
[not found] ` <1823CA649EDDAA06.9844@lists.openembedded.org>
2025-02-13 14:43 ` Böszörményi Zoltán
2025-02-13 15:06 ` Richard Purdie
2025-02-13 15:14 ` Böszörményi Zoltán
2025-02-13 15:16 ` Alexander Kanavin
2025-02-13 15:27 ` Böszörményi Zoltán [this message]
2025-02-13 15:17 ` Richard Purdie
[not found] ` <1823CBAB98621FC2.9844@lists.openembedded.org>
2025-02-13 15:09 ` Böszörményi Zoltán
2025-02-13 15:21 ` [OE-core][PATCH v12.1 " Zoltán Böszörményi
2025-02-20 14:43 ` Ross Burton
2025-02-22 7:56 ` Böszörményi Zoltán
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8f8bc643-200a-4683-ab8b-bdec41cb285b@gmail.com \
--to=zboszor@gmail.com \
--cc=alex.kanavin@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=raj.khem@gmail.com \
--cc=randy.macleod@windriver.com \
--cc=richard.purdie@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox