Message ID | 20230624053223.228117-2-raj.khem@gmail.com |
---|---|
State | New |
Headers | show |
Series | [1/3] mesa: Fix build with upcoming LLVM 17 | expand |
Hello Khem, This causes python ptest failures: {'python3': ['test_crypt', 'test_methods', 'test_sha2_rounds']} We should probably disable those On 23/06/2023 22:32:21-0700, Khem Raj wrote: > This ensures that weak algorithms are not included, which should improve > the defauls to be more secure > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > --- > meta/recipes-core/libxcrypt/libxcrypt.inc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/recipes-core/libxcrypt/libxcrypt.inc b/meta/recipes-core/libxcrypt/libxcrypt.inc > index 997e83fb004..db43a34b11d 100644 > --- a/meta/recipes-core/libxcrypt/libxcrypt.inc > +++ b/meta/recipes-core/libxcrypt/libxcrypt.inc > @@ -29,7 +29,7 @@ BUILD_CPPFLAGS = "-I${STAGING_INCDIR_NATIVE}" > TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir} -Wno-error" > CPPFLAGS:append:class-nativesdk = " -Wno-error" > > -API = "--disable-obsolete-api" > +API = "--disable-obsolete-api --enable-hashes=strong" > EXTRA_OECONF += "${API}" > > BBCLASSEXTEND = "native nativesdk" > -- > 2.41.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#183356): https://lists.openembedded.org/g/openembedded-core/message/183356 > Mute This Topic: https://lists.openembedded.org/mt/99749300/3617179 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 30 Jun 2023, at 14:30, Alexandre Belloni via lists.openembedded.org <alexandre.belloni=bootlin.com@lists.openembedded.org> wrote: > > Hello Khem, > > This causes python ptest failures: > > {'python3': ['test_crypt', 'test_methods', 'test_sha2_rounds']} > > We should probably disable those I would say to send a patch upstream to make those tests not depend on the unsafe algorithms existing, but the entire module has been removed in the next release of Python… Ross
I would also suggest that xcrypt itself is changed to default only to strong algorithms, and weak algorithms is an opt-in. This idea of 'letting users decide' which crypto they want from all-included set is frankly maddening, and I do not understand why it's still happening in 2023. Alex On Tue, 4 Jul 2023 at 12:54, Ross Burton <ross.burton@arm.com> wrote: > > On 30 Jun 2023, at 14:30, Alexandre Belloni via lists.openembedded.org <alexandre.belloni=bootlin.com@lists.openembedded.org> wrote: > > > > Hello Khem, > > > > This causes python ptest failures: > > > > {'python3': ['test_crypt', 'test_methods', 'test_sha2_rounds']} > > > > We should probably disable those > > I would say to send a patch upstream to make those tests not depend on the unsafe algorithms existing, but the entire module has been removed in the next release of Python… > > Ross > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#183825): https://lists.openembedded.org/g/openembedded-core/message/183825 > Mute This Topic: https://lists.openembedded.org/mt/99749300/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Tue, Jul 4, 2023 at 3:54 AM Ross Burton <Ross.Burton@arm.com> wrote: > > On 30 Jun 2023, at 14:30, Alexandre Belloni via lists.openembedded.org <alexandre.belloni=bootlin.com@lists.openembedded.org> wrote: > > > > Hello Khem, > > > > This causes python ptest failures: > > > > {'python3': ['test_crypt', 'test_methods', 'test_sha2_rounds']} > > > > We should probably disable those > > I would say to send a patch upstream to make those tests not depend on the unsafe algorithms existing, but the entire module has been removed in the next release of Python… > crypt is already deprecated in python 11 and will be removed from python 13. [1] some packages have opened issues to track it e.g. [2] [1] https://peps.python.org/pep-0594/#crypt [2] https://github.com/saltstack/salt/issues/64263 This is good but perhaps a bit early for us to act upon it, since this would require packages to migrate away from it to use hashlib or some such equivalent module. > Ross
On 30 Jun 2023, at 14:30, Alexandre Belloni via lists.openembedded.org <alexandre.belloni=bootlin.com@lists.openembedded.org> wrote: > > Hello Khem, > > This causes python ptest failures: > > {'python3': ['test_crypt', 'test_methods', 'test_sha2_rounds']} > > We should probably disable those Guessing this is also the cause of the perl failures: {'perl': ['t/op/crypt']} and apr-util: {'apr-util': ['testpass_3_of_6']} Test 3 of 6 is test_shapass using SHA1. If we want to do this then some effort will be needed to make all the test suites adapt to what algorithms are actually available. Ross
On 05/07/2023 11:08:32+0000, Ross Burton wrote: > On 30 Jun 2023, at 14:30, Alexandre Belloni via lists.openembedded.org <alexandre.belloni=bootlin.com@lists.openembedded.org> wrote: > > > > Hello Khem, > > > > This causes python ptest failures: > > > > {'python3': ['test_crypt', 'test_methods', 'test_sha2_rounds']} > > > > We should probably disable those > > Guessing this is also the cause of the perl failures: > > {'perl': ['t/op/crypt']} > > and apr-util: > > {'apr-util': ['testpass_3_of_6']} > > Test 3 of 6 is test_shapass using SHA1. > Yes it is, I should have added that. I dropped the patch for now. > If we want to do this then some effort will be needed to make all the test suites adapt to what algorithms are actually available. > > Ross > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#183887): https://lists.openembedded.org/g/openembedded-core/message/183887 > Mute This Topic: https://lists.openembedded.org/mt/99749300/3617179 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-core/libxcrypt/libxcrypt.inc b/meta/recipes-core/libxcrypt/libxcrypt.inc index 997e83fb004..db43a34b11d 100644 --- a/meta/recipes-core/libxcrypt/libxcrypt.inc +++ b/meta/recipes-core/libxcrypt/libxcrypt.inc @@ -29,7 +29,7 @@ BUILD_CPPFLAGS = "-I${STAGING_INCDIR_NATIVE}" TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir} -Wno-error" CPPFLAGS:append:class-nativesdk = " -Wno-error" -API = "--disable-obsolete-api" +API = "--disable-obsolete-api --enable-hashes=strong" EXTRA_OECONF += "${API}" BBCLASSEXTEND = "native nativesdk"
This ensures that weak algorithms are not included, which should improve the defauls to be more secure Signed-off-by: Khem Raj <raj.khem@gmail.com> --- meta/recipes-core/libxcrypt/libxcrypt.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)