diff mbox series

[v10,1/5] rpm-sequoia-crypto-policy: New recipe

Message ID 20250208072445.986573-1-zboszor@gmail.com
State Accepted, archived
Commit 8e499cefab6bfb40b40ae3eb811ca3eb51a7d4bc
Headers show
Series [v10,1/5] rpm-sequoia-crypto-policy: New recipe | expand

Commit Message

Zoltán Böszörményi Feb. 8, 2025, 7:24 a.m. UTC 
This ships a crypto policy file for rpm-sequoia.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/conf/distro/include/maintainers.inc      |  1 +
 .../0001-Don-t-test-crypto-policies.patch     | 52 +++++++++++++++++++
 ...1-Make-xsltproc-settable-as-XSLTPROC.patch | 43 +++++++++++++++
 ...002-Don-t-use-hardcoded-python3-path.patch | 41 +++++++++++++++
 .../rpm-sequoia-crypto-policy_git.bb          | 39 ++++++++++++++
 5 files changed, 176 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Don-t-test-crypto-policies.patch
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb

Comments

Alexander Kanavin Feb. 10, 2025, 9:03 a.m. UTC | #1 
On Sat, 8 Feb 2025 at 08:24, Zoltán Böszörményi <zboszor@gmail.com> wrote:
> +Assume that the policies are good as they are committed.
> +The CI for fedora-crypto-policies ensures this.
> +
> +Upstream-Status: Inappropriate [Yocto specific]

The patch as it is is indeed not suitable, but perhaps you can open a
ticket, describe the issue, and see if upstream would be willing to
take a configuration option instead?

We generally ask that Inappropriate patches still come with ticket
links, so upstreams are aware of the problems we face. Sometimes
solutions come out of that, and if not
this documents their response.

Alex
Zoltán Böszörményi Feb. 10, 2025, 11:17 a.m. UTC | #2 
2025. 02. 10. 10:03 keltezéssel, Alexander Kanavin írta:
> On Sat, 8 Feb 2025 at 08:24, Zoltán Böszörményi <zboszor@gmail.com> wrote:
>> +Assume that the policies are good as they are committed.
>> +The CI for fedora-crypto-policies ensures this.
>> +
>> +Upstream-Status: Inappropriate [Yocto specific]
> The patch as it is is indeed not suitable, but perhaps you can open a
> ticket, describe the issue, and see if upstream would be willing to
> take a configuration option instead?
>
> We generally ask that Inappropriate patches still come with ticket
> links, so upstreams are aware of the problems we face. Sometimes
> solutions come out of that, and if not
> this documents their response.

Ok, new approach, hopefully better.

The two new patches are also pushed to
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/226
and all the problems I faced are described at
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/issues/57

I just sent v11 with this change.
Zoltán Böszörményi Feb. 12, 2025, 4:35 a.m. UTC | #3 
2025. 02. 10. 12:17 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> 2025. 02. 10. 10:03 keltezéssel, Alexander Kanavin írta:
>> On Sat, 8 Feb 2025 at 08:24, Zoltán Böszörményi <zboszor@gmail.com> wrote:
>>> +Assume that the policies are good as they are committed.
>>> +The CI for fedora-crypto-policies ensures this.
>>> +
>>> +Upstream-Status: Inappropriate [Yocto specific]
>> The patch as it is is indeed not suitable, but perhaps you can open a
>> ticket, describe the issue, and see if upstream would be willing to
>> take a configuration option instead?
>>
>> We generally ask that Inappropriate patches still come with ticket
>> links, so upstreams are aware of the problems we face. Sometimes
>> solutions come out of that, and if not
>> this documents their response.

The upstream discussion happened, my patches were
merged into fedora-crypto-policies. v12 series is on its way.
diff mbox series

Patch

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index bec55a7c1c..648c8fceb8 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -744,6 +744,7 @@  RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-rng-tools = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-rpcsvc-proto = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-rpm = "Robert Yang <liezhi.yang@windriver.com>"
+RECIPE_MAINTAINER:pn-rpm-sequoia-crypto-policy = "Zoltán Böszörményi <zboszor@gmail.com>"
 RECIPE_MAINTAINER:pn-rsync = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-rt-tests = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-ruby = "Ross Burton <ross.burton@arm.com>"
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Don-t-test-crypto-policies.patch b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Don-t-test-crypto-policies.patch
new file mode 100644
index 0000000000..1967488e89
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Don-t-test-crypto-policies.patch
@@ -0,0 +1,52 @@ 
+From 8491263ad74ce0f30af033ea6e2679212ce197f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zolt=C3=A1n=20B=C3=B6sz=C3=B6rm=C3=A9nyi?=
+ <zboszor@gmail.com>
+Date: Sat, 8 Feb 2025 07:23:28 +0100
+Subject: [PATCH] Don't test crypto policies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Assume that the policies are good as they are committed.
+The CI for fedora-crypto-policies ensures this.
+
+Upstream-Status: Inappropriate [Yocto specific]
+Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
+---
+ python/build-crypto-policies.py | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py
+index a75b6f6..f1107ba 100755
+--- a/python/build-crypto-policies.py
++++ b/python/build-crypto-policies.py
+@@ -104,18 +104,14 @@ def build_policy(cmdline, policy_name, subpolicy_names=None):
+         gen = cls()
+         config = gen.generate_config(ucp)
+ 
+-        if policy_name in {'EMPTY', 'GOST-ONLY'} or gen.test_config(config):
+-            try:
+-                name = ':'.join([policy_name, *subpolicy_names])
+-                if not save_config(cmdline, name, gen.CONFIG_NAME, config):
+-                    err = 5
+-            except OSError:
+-                eprint('Error saving config for ' + gen.CONFIG_NAME)
+-                eprint('Keeping original configuration')
+-                err = 4
+-        else:
+-            eprint('Error testing config for ' + gen.CONFIG_NAME)
+-            err = 3
++        try:
++            name = ':'.join([policy_name, *subpolicy_names])
++            if not save_config(cmdline, name, gen.CONFIG_NAME, config):
++                err = 5
++        except OSError:
++            eprint('Error saving config for ' + gen.CONFIG_NAME)
++            eprint('Keeping original configuration')
++            err = 4
+     return err
+ 
+ 
+-- 
+2.48.1
+
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch
new file mode 100644
index 0000000000..dc57989c2d
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch
@@ -0,0 +1,43 @@ 
+From f4adfb74c1f13cbddcbc20b6aa6aebe58956083e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zolt=C3=A1n=20B=C3=B6sz=C3=B6rm=C3=A9nyi?=
+ <zboszor@gmail.com>
+Date: Thu, 6 Feb 2025 12:20:09 +0100
+Subject: [PATCH 1/2] Make xsltproc settable as XSLTPROC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This allows not building the documentation with:
+
+  make ASCIIDOC=echo XSLTPROC=echo
+
+Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
+Upstream-Status: Submitted [https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/226]
+---
+ Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 9d2b5c7..36b3702 100644
+--- a/Makefile
++++ b/Makefile
+@@ -15,6 +15,7 @@ NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
+ PYVERSION = -3
+ DIFFTOOL?=meld
+ ASCIIDOC?=asciidoc
++XSLTPROC?=xsltproc
+ ifneq ("$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl)","")
+ MANPAGEXSL?=$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl)
+ else
+@@ -134,7 +135,7 @@ clean:
+ 
+ %: %.txt
+ 	$(ASCIIDOC) -v -d manpage -b docbook $<
+-	xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
++	$(XSLTPROC) --nonet -o $@ ${MANPAGEXSL} $@.xml
+ 
+ dist:
+ 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
+-- 
+2.48.1
+
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch
new file mode 100644
index 0000000000..a34f3c3a3b
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch
@@ -0,0 +1,41 @@ 
+From 47e70118dbd491a2aaf5669dc93e3f1471d19510 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zolt=C3=A1n=20B=C3=B6sz=C3=B6rm=C3=A9nyi?=
+ <zboszor@gmail.com>
+Date: Thu, 6 Feb 2025 12:00:36 +0100
+Subject: [PATCH 2/2] Don't use hardcoded python3 path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This can help with cross-compiling.
+
+Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
+Upstream-Status: Submitted [https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/226]
+---
+ python/build-crypto-policies.py  | 2 +-
+ python/update-crypto-policies.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py
+index a08ece2..a75b6f6 100755
+--- a/python/build-crypto-policies.py
++++ b/python/build-crypto-policies.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3
++#!/usr/bin/env python3
+ 
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 
+diff --git a/python/update-crypto-policies.py b/python/update-crypto-policies.py
+index 97487dc..935bc9e 100755
+--- a/python/update-crypto-policies.py
++++ b/python/update-crypto-policies.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3
++#!/usr/bin/env python3
+ 
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 
+-- 
+2.48.1
+
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
new file mode 100644
index 0000000000..f2c4f2e71c
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
@@ -0,0 +1,39 @@ 
+SUMMARY = "Crypto policy for rpm-sequoia"
+HOMEPAGE = "https://gitlab.com/redhat-crypto/fedora-crypto-policies/"
+
+LICENSE = "LGPL-2.1-or-later"
+
+LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+DEPENDS = "coreutils-native openssl-native make-native"
+
+inherit allarch python3native
+
+SRC_URI = " \
+	git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master \
+	file://0001-Make-xsltproc-settable-as-XSLTPROC.patch \
+	file://0002-Don-t-use-hardcoded-python3-path.patch \
+	file://0001-Don-t-test-crypto-policies.patch \
+"
+
+SRCREV = "445ecc87af202c8fc9249b453f41c3ac4553ffbd"
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/git"
+
+do_compile () {
+	# Remove most policie variants, leave DEFAULT.pol
+	# It speeds up the build and we only need DEFAULT/rpm-sequoia.
+	rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete
+
+	make ASCIIDOC=echo XSLTPROC=echo
+}
+
+do_install () {
+	install -d -m755 ${D}${datadir}/crypto-policies/back-ends
+	install -m644 ${S}/output/DEFAULT/rpm-sequoia.txt ${D}${datadir}/crypto-policies/back-ends/rpm-sequoia.config
+}
+
+FILES:${PN} = "${datadir}/crypto-policies/back-ends/*"
+
+BBCLASSEXTEND = "native"