diff mbox series

[v12,1/5] rpm-sequoia-crypto-policy: New recipe

Message ID 20250212043532.1258912-1-zboszor@gmail.com
State Accepted, archived
Commit 8e499cefab6bfb40b40ae3eb811ca3eb51a7d4bc
Headers show
Series [v12,1/5] rpm-sequoia-crypto-policy: New recipe | expand

Commit Message

Zoltán Böszörményi Feb. 12, 2025, 4:35 a.m. UTC 
This ships a crypto policy file for rpm-sequoia.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
---
 meta/conf/distro/include/maintainers.inc      |  1 +
 .../rpm-sequoia-crypto-policy_git.bb          | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb

Comments

Mathieu Dubois-Briand Feb. 13, 2025, 1:36 p.m. UTC | #1 
On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> This ships a crypto policy file for rpm-sequoia.
>
> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> ---

Hi Zoltán,

I believe we have a new issue with this version:

| python/build-crypto-policies.py --reloadcmds policies output
| /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
| /tmp/tmpqvyryz80: line 6: Bad configuration option: hostbasedacceptedalgorithms
| /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
| /tmp/tmpqvyryz80: terminating, 3 bad configuration options
| There is an error in OpenSSH server generated policy

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio

Can you have a look at this error please?
Zoltán Böszörményi Feb. 13, 2025, 2:20 p.m. UTC | #2 
2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>> This ships a crypto policy file for rpm-sequoia.
>>
>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>> ---
> Hi Zoltán,
>
> I believe we have a new issue with this version:
>
> | python/build-crypto-policies.py --reloadcmds policies output
> | /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
> | /tmp/tmpqvyryz80: line 6: Bad configuration option: hostbasedacceptedalgorithms
> | /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
> | /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> | There is an error in OpenSSH server generated policy
>
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>
> Can you have a look at this error please?

I tested the recipe on Fedora 41 with:
* nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
* faking uninstalling it by renaming /usr/bin/nss-policy-check

Both worked.

Some of your build hosts where nss was not installed complained
about executing nss-policy-check unconditionally, which is now fixed.

I think this is on a build host with a very old nss version installed.
Can you uninstall it?
Richard Purdie Feb. 13, 2025, 2:32 p.m. UTC | #3 
On Thu, 2025-02-13 at 15:20 +0100, Böszörményi Zoltán wrote:
> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> > On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> > > This ships a crypto policy file for rpm-sequoia.
> > > 
> > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> > > ---
> > Hi Zoltán,
> > 
> > I believe we have a new issue with this version:
> > 
> > > python/build-crypto-policies.py --reloadcmds policies output
> > > /tmp/tmpqvyryz80: line 5: Bad configuration option:
> > > pubkeyacceptedalgorithms
> > > /tmp/tmpqvyryz80: line 6: Bad configuration option:
> > > hostbasedacceptedalgorithms
> > > /tmp/tmpqvyryz80: line 8: Bad configuration option:
> > > requiredrsasize
> > > /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> > > There is an error in OpenSSH server generated policy
> > 
> > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
> > 
> > Can you have a look at this error please?
> 
> I tested the recipe on Fedora 41 with:
> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
> * faking uninstalling it by renaming /usr/bin/nss-policy-check
> 
> Both worked.
> 
> Some of your build hosts where nss was not installed complained
> about executing nss-policy-check unconditionally, which is now fixed.
> 
> I think this is on a build host with a very old nss version
> installed.
> Can you uninstall it?

We aim to filter the environment and work the same way in all cases so
this sounds like host contamination.

I think we may have to just stop it using it from the host
unconditionally.

Cheers,

Richard
Zoltán Böszörményi Feb. 13, 2025, 2:40 p.m. UTC | #4 
2025. 02. 13. 15:32 keltezéssel, Richard Purdie írta:
> On Thu, 2025-02-13 at 15:20 +0100, Böszörményi Zoltán wrote:
>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>> This ships a crypto policy file for rpm-sequoia.
>>>>
>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>> ---
>>> Hi Zoltán,
>>>
>>> I believe we have a new issue with this version:
>>>
>>>> python/build-crypto-policies.py --reloadcmds policies output
>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
>>>> pubkeyacceptedalgorithms
>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
>>>> hostbasedacceptedalgorithms
>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
>>>> requiredrsasize
>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>>> There is an error in OpenSSH server generated policy
>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>>>
>>> Can you have a look at this error please?
>> I tested the recipe on Fedora 41 with:
>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>
>> Both worked.
>>
>> Some of your build hosts where nss was not installed complained
>> about executing nss-policy-check unconditionally, which is now fixed.
>>
>> I think this is on a build host with a very old nss version
>> installed.
>> Can you uninstall it?
> We aim to filter the environment and work the same way in all cases so
> this sounds like host contamination.
>
> I think we may have to just stop it using it from the host
> unconditionally.

It's not used unconditionally from the host anymore.
It's detected via shutil.which() so if it's in PATH, it is used. See:
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/032b418a6db842f0eab330eb5909e4604e888728
Zoltán Böszörményi Feb. 13, 2025, 2:43 p.m. UTC | #5 
2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>> This ships a crypto policy file for rpm-sequoia.
>>>
>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>> ---
>> Hi Zoltán,
>>
>> I believe we have a new issue with this version:
>>
>> | python/build-crypto-policies.py --reloadcmds policies output
>> | /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
>> | /tmp/tmpqvyryz80: line 6: Bad configuration option: hostbasedacceptedalgorithms
>> | /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
>> | /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>> | There is an error in OpenSSH server generated policy
>>
>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio 
>>
>>
>> Can you have a look at this error please?
>
> I tested the recipe on Fedora 41 with:
> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>
> Both worked.
>
> Some of your build hosts where nss was not installed complained
> about executing nss-policy-check unconditionally, which is now fixed.
>
> I think this is on a build host with a very old nss version installed.
> Can you uninstall it?

I found an alternative solution but it involves patching out
most of the policy generators:

================================================
$ git diff python/policygenerators/__init__.py
diff --git a/python/policygenerators/__init__.py b/python/policygenerators/__init__.py
index 0e3013e..180fb2a 100644
--- a/python/policygenerators/__init__.py
+++ b/python/policygenerators/__init__.py
@@ -3,34 +3,8 @@
  # Copyright (c) 2019 Red Hat, Inc.
  # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>

-from .bind import BindGenerator
-from .gnutls import GnuTLSGenerator
-from .java import JavaGenerator
-from .krb5 import KRB5Generator
-from .libreswan import LibreswanGenerator
-from .libssh import LibsshGenerator
-from .nss import NSSGenerator
-from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
-from .openssl import (
-    OpenSSLConfigGenerator,
-    OpenSSLFIPSGenerator,
-    OpenSSLGenerator,
-)
-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
+from .sequoia import RPMSequoiaGenerator

  __all__ = [
-    'BindGenerator',
-    'GnuTLSGenerator',
-    'JavaGenerator',
-    'KRB5Generator',
-    'LibreswanGenerator',
-    'LibsshGenerator',
-    'NSSGenerator',
-    'OpenSSHClientGenerator',
-    'OpenSSHServerGenerator',
-    'OpenSSLConfigGenerator',
-    'OpenSSLFIPSGenerator',
-    'OpenSSLGenerator',
      'RPMSequoiaGenerator',
-    'SequoiaGenerator',
  ]
================================================

That should work with this old nss version according to
the log.do_compile output.

I can't see an easy way to make these imports and list conditional,
so the patch would be "Upstream-Status: Inappropriate".

Since it should only happen for the native build, the patch can be

SRC_URI:append:class-native = "..."

As far as I know, /usr/bin is filtered from target builds but not from
native builds.
Richard Purdie Feb. 13, 2025, 3:06 p.m. UTC | #6 
On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
> lists.openembedded.org írta:
> > 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> > > On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> > > > This ships a crypto policy file for rpm-sequoia.
> > > > 
> > > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> > > > ---
> > > Hi Zoltán,
> > > 
> > > I believe we have a new issue with this version:
> > > 
> > > > python/build-crypto-policies.py --reloadcmds policies output
> > > > /tmp/tmpqvyryz80: line 5: Bad configuration option:
> > > > pubkeyacceptedalgorithms
> > > > /tmp/tmpqvyryz80: line 6: Bad configuration option:
> > > > hostbasedacceptedalgorithms
> > > > /tmp/tmpqvyryz80: line 8: Bad configuration option:
> > > > requiredrsasize
> > > > /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> > > > There is an error in OpenSSH server generated policy
> > > 
> > > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
> > >  
> > > 
> > > 
> > > Can you have a look at this error please?
> > 
> > I tested the recipe on Fedora 41 with:
> > * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
> > * faking uninstalling it by renaming /usr/bin/nss-policy-check
> > 
> > Both worked.
> > 
> > Some of your build hosts where nss was not installed complained
> > about executing nss-policy-check unconditionally, which is now
> > fixed.
> > 
> > I think this is on a build host with a very old nss version
> > installed.
> > Can you uninstall it?
> 
> I found an alternative solution but it involves patching out
> most of the policy generators:
> 
> ================================================
> $ git diff python/policygenerators/__init__.py
> diff --git a/python/policygenerators/__init__.py
> b/python/policygenerators/__init__.py
> index 0e3013e..180fb2a 100644
> --- a/python/policygenerators/__init__.py
> +++ b/python/policygenerators/__init__.py
> @@ -3,34 +3,8 @@
>   # Copyright (c) 2019 Red Hat, Inc.
>   # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
> 
> -from .bind import BindGenerator
> -from .gnutls import GnuTLSGenerator
> -from .java import JavaGenerator
> -from .krb5 import KRB5Generator
> -from .libreswan import LibreswanGenerator
> -from .libssh import LibsshGenerator
> -from .nss import NSSGenerator
> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
> -from .openssl import (
> -    OpenSSLConfigGenerator,
> -    OpenSSLFIPSGenerator,
> -    OpenSSLGenerator,
> -)
> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
> +from .sequoia import RPMSequoiaGenerator
> 
>   __all__ = [
> -    'BindGenerator',
> -    'GnuTLSGenerator',
> -    'JavaGenerator',
> -    'KRB5Generator',
> -    'LibreswanGenerator',
> -    'LibsshGenerator',
> -    'NSSGenerator',
> -    'OpenSSHClientGenerator',
> -    'OpenSSHServerGenerator',
> -    'OpenSSLConfigGenerator',
> -    'OpenSSLFIPSGenerator',
> -    'OpenSSLGenerator',
>       'RPMSequoiaGenerator',
> -    'SequoiaGenerator',
>   ]
> ================================================
> 
> That should work with this old nss version according to
> the log.do_compile output.
> 
> I can't see an easy way to make these imports and list conditional,
> so the patch would be "Upstream-Status: Inappropriate".
> 
> Since it should only happen for the native build, the patch can be
> 
> SRC_URI:append:class-native = "..."
> 
> As far as I know, /usr/bin is filtered from target builds but not
> from native builds.

We only allow access to things from HOSTTOOLS, nothing else is meant to
be used, even for native builds.

Cheers,

Richard
Zoltán Böszörményi Feb. 13, 2025, 3:09 p.m. UTC | #7 
2025. 02. 13. 15:43 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org írta:
>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>> This ships a crypto policy file for rpm-sequoia.
>>>>
>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>> ---
>>> Hi Zoltán,
>>>
>>> I believe we have a new issue with this version:
>>>
>>> | python/build-crypto-policies.py --reloadcmds policies output
>>> | /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
>>> | /tmp/tmpqvyryz80: line 6: Bad configuration option: hostbasedacceptedalgorithms
>>> | /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
>>> | /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>> | There is an error in OpenSSH server generated policy
>>>
>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio 
>>>
>>>
>>> Can you have a look at this error please?
>>
>> I tested the recipe on Fedora 41 with:
>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>
>> Both worked.
>>
>> Some of your build hosts where nss was not installed complained
>> about executing nss-policy-check unconditionally, which is now fixed.
>>
>> I think this is on a build host with a very old nss version installed.
>> Can you uninstall it?
>
> I found an alternative solution but it involves patching out 0
> most of the policy generators:
>
> <bad patch>

Wrong diagnosis.

It only happens for openssh and openssh server configs.
And it should be with with export OLD_OPENSSH=1.

Is it okay if I re-send only the first patch in the series?
Zoltán Böszörményi Feb. 13, 2025, 3:14 p.m. UTC | #8 
2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
> On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
>> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
>> lists.openembedded.org írta:
>>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>>> This ships a crypto policy file for rpm-sequoia.
>>>>>
>>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>>> ---
>>>> Hi Zoltán,
>>>>
>>>> I believe we have a new issue with this version:
>>>>
>>>>> python/build-crypto-policies.py --reloadcmds policies output
>>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
>>>>> pubkeyacceptedalgorithms
>>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
>>>>> hostbasedacceptedalgorithms
>>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
>>>>> requiredrsasize
>>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>>>> There is an error in OpenSSH server generated policy
>>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>>>>   
>>>>
>>>>
>>>> Can you have a look at this error please?
>>> I tested the recipe on Fedora 41 with:
>>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>>
>>> Both worked.
>>>
>>> Some of your build hosts where nss was not installed complained
>>> about executing nss-policy-check unconditionally, which is now
>>> fixed.
>>>
>>> I think this is on a build host with a very old nss version
>>> installed.
>>> Can you uninstall it?
>> I found an alternative solution but it involves patching out
>> most of the policy generators:
>>
>> ================================================
>> $ git diff python/policygenerators/__init__.py
>> diff --git a/python/policygenerators/__init__.py
>> b/python/policygenerators/__init__.py
>> index 0e3013e..180fb2a 100644
>> --- a/python/policygenerators/__init__.py
>> +++ b/python/policygenerators/__init__.py
>> @@ -3,34 +3,8 @@
>>    # Copyright (c) 2019 Red Hat, Inc.
>>    # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
>>
>> -from .bind import BindGenerator
>> -from .gnutls import GnuTLSGenerator
>> -from .java import JavaGenerator
>> -from .krb5 import KRB5Generator
>> -from .libreswan import LibreswanGenerator
>> -from .libssh import LibsshGenerator
>> -from .nss import NSSGenerator
>> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
>> -from .openssl import (
>> -    OpenSSLConfigGenerator,
>> -    OpenSSLFIPSGenerator,
>> -    OpenSSLGenerator,
>> -)
>> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
>> +from .sequoia import RPMSequoiaGenerator
>>
>>    __all__ = [
>> -    'BindGenerator',
>> -    'GnuTLSGenerator',
>> -    'JavaGenerator',
>> -    'KRB5Generator',
>> -    'LibreswanGenerator',
>> -    'LibsshGenerator',
>> -    'NSSGenerator',
>> -    'OpenSSHClientGenerator',
>> -    'OpenSSHServerGenerator',
>> -    'OpenSSLConfigGenerator',
>> -    'OpenSSLFIPSGenerator',
>> -    'OpenSSLGenerator',
>>        'RPMSequoiaGenerator',
>> -    'SequoiaGenerator',
>>    ]
>> ================================================
>>
>> That should work with this old nss version according to
>> the log.do_compile output.
>>
>> I can't see an easy way to make these imports and list conditional,
>> so the patch would be "Upstream-Status: Inappropriate".
>>
>> Since it should only happen for the native build, the patch can be
>>
>> SRC_URI:append:class-native = "..."
>>
>> As far as I know, /usr/bin is filtered from target builds but not
>> from native builds.
> We only allow access to things from HOSTTOOLS, nothing else is meant to
> be used, even for native builds.

As I wrote, I misdiagnosed it. There's no problem with nss-policy-check.

Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
Because the test_config() class method only fails for openssh and opensshserver.
They can be ignored with an envvar.
Alexander Kanavin Feb. 13, 2025, 3:16 p.m. UTC | #9 
Generally it's best to resend the whole patchset, as sending
individual follow up patches doesn't scale for maintainers, they can
easily lose track of how to combine everything into a non-broken set
of commits if many people start sending partial patches at the same
time.

Alex

On Thu, 13 Feb 2025 at 16:14, Böszörményi Zoltán <zboszor@gmail.com> wrote:
>
> 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
> > On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
> >> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
> >> lists.openembedded.org írta:
> >>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> >>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> >>>>> This ships a crypto policy file for rpm-sequoia.
> >>>>>
> >>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> >>>>> ---
> >>>> Hi Zoltán,
> >>>>
> >>>> I believe we have a new issue with this version:
> >>>>
> >>>>> python/build-crypto-policies.py --reloadcmds policies output
> >>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
> >>>>> pubkeyacceptedalgorithms
> >>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
> >>>>> hostbasedacceptedalgorithms
> >>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
> >>>>> requiredrsasize
> >>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> >>>>> There is an error in OpenSSH server generated policy
> >>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
> >>>>
> >>>>
> >>>>
> >>>> Can you have a look at this error please?
> >>> I tested the recipe on Fedora 41 with:
> >>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
> >>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
> >>>
> >>> Both worked.
> >>>
> >>> Some of your build hosts where nss was not installed complained
> >>> about executing nss-policy-check unconditionally, which is now
> >>> fixed.
> >>>
> >>> I think this is on a build host with a very old nss version
> >>> installed.
> >>> Can you uninstall it?
> >> I found an alternative solution but it involves patching out
> >> most of the policy generators:
> >>
> >> ================================================
> >> $ git diff python/policygenerators/__init__.py
> >> diff --git a/python/policygenerators/__init__.py
> >> b/python/policygenerators/__init__.py
> >> index 0e3013e..180fb2a 100644
> >> --- a/python/policygenerators/__init__.py
> >> +++ b/python/policygenerators/__init__.py
> >> @@ -3,34 +3,8 @@
> >>    # Copyright (c) 2019 Red Hat, Inc.
> >>    # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
> >>
> >> -from .bind import BindGenerator
> >> -from .gnutls import GnuTLSGenerator
> >> -from .java import JavaGenerator
> >> -from .krb5 import KRB5Generator
> >> -from .libreswan import LibreswanGenerator
> >> -from .libssh import LibsshGenerator
> >> -from .nss import NSSGenerator
> >> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
> >> -from .openssl import (
> >> -    OpenSSLConfigGenerator,
> >> -    OpenSSLFIPSGenerator,
> >> -    OpenSSLGenerator,
> >> -)
> >> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
> >> +from .sequoia import RPMSequoiaGenerator
> >>
> >>    __all__ = [
> >> -    'BindGenerator',
> >> -    'GnuTLSGenerator',
> >> -    'JavaGenerator',
> >> -    'KRB5Generator',
> >> -    'LibreswanGenerator',
> >> -    'LibsshGenerator',
> >> -    'NSSGenerator',
> >> -    'OpenSSHClientGenerator',
> >> -    'OpenSSHServerGenerator',
> >> -    'OpenSSLConfigGenerator',
> >> -    'OpenSSLFIPSGenerator',
> >> -    'OpenSSLGenerator',
> >>        'RPMSequoiaGenerator',
> >> -    'SequoiaGenerator',
> >>    ]
> >> ================================================
> >>
> >> That should work with this old nss version according to
> >> the log.do_compile output.
> >>
> >> I can't see an easy way to make these imports and list conditional,
> >> so the patch would be "Upstream-Status: Inappropriate".
> >>
> >> Since it should only happen for the native build, the patch can be
> >>
> >> SRC_URI:append:class-native = "..."
> >>
> >> As far as I know, /usr/bin is filtered from target builds but not
> >> from native builds.
> > We only allow access to things from HOSTTOOLS, nothing else is meant to
> > be used, even for native builds.
>
> As I wrote, I misdiagnosed it. There's no problem with nss-policy-check.
>
> Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
> Because the test_config() class method only fails for openssh and opensshserver.
> They can be ignored with an envvar.
>
Richard Purdie Feb. 13, 2025, 3:17 p.m. UTC | #10 
On Thu, 2025-02-13 at 16:14 +0100, Böszörményi Zoltán wrote:
> 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
> > On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
> > > 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
> > > lists.openembedded.org írta:
> > > > 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
> > > > > On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
> > > > > > This ships a crypto policy file for rpm-sequoia.
> > > > > > 
> > > > > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
> > > > > > ---
> > > > > Hi Zoltán,
> > > > > 
> > > > > I believe we have a new issue with this version:
> > > > > 
> > > > > > python/build-crypto-policies.py --reloadcmds policies
> > > > > > output
> > > > > > /tmp/tmpqvyryz80: line 5: Bad configuration option:
> > > > > > pubkeyacceptedalgorithms
> > > > > > /tmp/tmpqvyryz80: line 6: Bad configuration option:
> > > > > > hostbasedacceptedalgorithms
> > > > > > /tmp/tmpqvyryz80: line 8: Bad configuration option:
> > > > > > requiredrsasize
> > > > > > /tmp/tmpqvyryz80: terminating, 3 bad configuration options
> > > > > > There is an error in OpenSSH server generated policy
> > > > > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
> > > > >   
> > > > > 
> > > > > 
> > > > > Can you have a look at this error please?
> > > > I tested the recipe on Fedora 41 with:
> > > > * nss 3.107.0 installed with /usr/bin/nss-policy-check present,
> > > > and
> > > > * faking uninstalling it by renaming /usr/bin/nss-policy-check
> > > > 
> > > > Both worked.
> > > > 
> > > > Some of your build hosts where nss was not installed complained
> > > > about executing nss-policy-check unconditionally, which is now
> > > > fixed.
> > > > 
> > > > I think this is on a build host with a very old nss version
> > > > installed.
> > > > Can you uninstall it?
> > > I found an alternative solution but it involves patching out
> > > most of the policy generators:
> > > 
> > > ================================================
> > > $ git diff python/policygenerators/__init__.py
> > > diff --git a/python/policygenerators/__init__.py
> > > b/python/policygenerators/__init__.py
> > > index 0e3013e..180fb2a 100644
> > > --- a/python/policygenerators/__init__.py
> > > +++ b/python/policygenerators/__init__.py
> > > @@ -3,34 +3,8 @@
> > >    # Copyright (c) 2019 Red Hat, Inc.
> > >    # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
> > > 
> > > -from .bind import BindGenerator
> > > -from .gnutls import GnuTLSGenerator
> > > -from .java import JavaGenerator
> > > -from .krb5 import KRB5Generator
> > > -from .libreswan import LibreswanGenerator
> > > -from .libssh import LibsshGenerator
> > > -from .nss import NSSGenerator
> > > -from .openssh import OpenSSHClientGenerator,
> > > OpenSSHServerGenerator
> > > -from .openssl import (
> > > -    OpenSSLConfigGenerator,
> > > -    OpenSSLFIPSGenerator,
> > > -    OpenSSLGenerator,
> > > -)
> > > -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
> > > +from .sequoia import RPMSequoiaGenerator
> > > 
> > >    __all__ = [
> > > -    'BindGenerator',
> > > -    'GnuTLSGenerator',
> > > -    'JavaGenerator',
> > > -    'KRB5Generator',
> > > -    'LibreswanGenerator',
> > > -    'LibsshGenerator',
> > > -    'NSSGenerator',
> > > -    'OpenSSHClientGenerator',
> > > -    'OpenSSHServerGenerator',
> > > -    'OpenSSLConfigGenerator',
> > > -    'OpenSSLFIPSGenerator',
> > > -    'OpenSSLGenerator',
> > >        'RPMSequoiaGenerator',
> > > -    'SequoiaGenerator',
> > >    ]
> > > ================================================
> > > 
> > > That should work with this old nss version according to
> > > the log.do_compile output.
> > > 
> > > I can't see an easy way to make these imports and list
> > > conditional,
> > > so the patch would be "Upstream-Status: Inappropriate".
> > > 
> > > Since it should only happen for the native build, the patch can
> > > be
> > > 
> > > SRC_URI:append:class-native = "..."
> > > 
> > > As far as I know, /usr/bin is filtered from target builds but not
> > > from native builds.
> > We only allow access to things from HOSTTOOLS, nothing else is
> > meant to
> > be used, even for native builds.
> 
> As I wrote, I misdiagnosed it. There's no problem with nss-policy-
> check.
> 
> Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
> Because the test_config() class method only fails for openssh and
> opensshserver.
> They can be ignored with an envvar.

Yes, those could be pulled in as we use them in qemu testing so we
should probably set the envvar...

Cheers,

Richard
Zoltán Böszörményi Feb. 13, 2025, 3:27 p.m. UTC | #11 
2025. 02. 13. 16:16 keltezéssel, Alexander Kanavin írta:
> Generally it's best to resend the whole patchset, as sending
> individual follow up patches doesn't scale for maintainers, they can
> easily lose track of how to combine everything into a non-broken set
> of commits if many people start sending partial patches at the same
> time.

Got it. I re-sent the whole series with this small fix included.

>
> Alex
>
> On Thu, 13 Feb 2025 at 16:14, Böszörményi Zoltán <zboszor@gmail.com> wrote:
>> 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
>>> On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
>>>> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
>>>> lists.openembedded.org írta:
>>>>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
>>>>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
>>>>>>> This ships a crypto policy file for rpm-sequoia.
>>>>>>>
>>>>>>> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
>>>>>>> ---
>>>>>> Hi Zoltán,
>>>>>>
>>>>>> I believe we have a new issue with this version:
>>>>>>
>>>>>>> python/build-crypto-policies.py --reloadcmds policies output
>>>>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option:
>>>>>>> pubkeyacceptedalgorithms
>>>>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option:
>>>>>>> hostbasedacceptedalgorithms
>>>>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option:
>>>>>>> requiredrsasize
>>>>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options
>>>>>>> There is an error in OpenSSH server generated policy
>>>>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
>>>>>>
>>>>>>
>>>>>>
>>>>>> Can you have a look at this error please?
>>>>> I tested the recipe on Fedora 41 with:
>>>>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
>>>>> * faking uninstalling it by renaming /usr/bin/nss-policy-check
>>>>>
>>>>> Both worked.
>>>>>
>>>>> Some of your build hosts where nss was not installed complained
>>>>> about executing nss-policy-check unconditionally, which is now
>>>>> fixed.
>>>>>
>>>>> I think this is on a build host with a very old nss version
>>>>> installed.
>>>>> Can you uninstall it?
>>>> I found an alternative solution but it involves patching out
>>>> most of the policy generators:
>>>>
>>>> ================================================
>>>> $ git diff python/policygenerators/__init__.py
>>>> diff --git a/python/policygenerators/__init__.py
>>>> b/python/policygenerators/__init__.py
>>>> index 0e3013e..180fb2a 100644
>>>> --- a/python/policygenerators/__init__.py
>>>> +++ b/python/policygenerators/__init__.py
>>>> @@ -3,34 +3,8 @@
>>>>     # Copyright (c) 2019 Red Hat, Inc.
>>>>     # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org>
>>>>
>>>> -from .bind import BindGenerator
>>>> -from .gnutls import GnuTLSGenerator
>>>> -from .java import JavaGenerator
>>>> -from .krb5 import KRB5Generator
>>>> -from .libreswan import LibreswanGenerator
>>>> -from .libssh import LibsshGenerator
>>>> -from .nss import NSSGenerator
>>>> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
>>>> -from .openssl import (
>>>> -    OpenSSLConfigGenerator,
>>>> -    OpenSSLFIPSGenerator,
>>>> -    OpenSSLGenerator,
>>>> -)
>>>> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
>>>> +from .sequoia import RPMSequoiaGenerator
>>>>
>>>>     __all__ = [
>>>> -    'BindGenerator',
>>>> -    'GnuTLSGenerator',
>>>> -    'JavaGenerator',
>>>> -    'KRB5Generator',
>>>> -    'LibreswanGenerator',
>>>> -    'LibsshGenerator',
>>>> -    'NSSGenerator',
>>>> -    'OpenSSHClientGenerator',
>>>> -    'OpenSSHServerGenerator',
>>>> -    'OpenSSLConfigGenerator',
>>>> -    'OpenSSLFIPSGenerator',
>>>> -    'OpenSSLGenerator',
>>>>         'RPMSequoiaGenerator',
>>>> -    'SequoiaGenerator',
>>>>     ]
>>>> ================================================
>>>>
>>>> That should work with this old nss version according to
>>>> the log.do_compile output.
>>>>
>>>> I can't see an easy way to make these imports and list conditional,
>>>> so the patch would be "Upstream-Status: Inappropriate".
>>>>
>>>> Since it should only happen for the native build, the patch can be
>>>>
>>>> SRC_URI:append:class-native = "..."
>>>>
>>>> As far as I know, /usr/bin is filtered from target builds but not
>>>> from native builds.
>>> We only allow access to things from HOSTTOOLS, nothing else is meant to
>>> be used, even for native builds.
>> As I wrote, I misdiagnosed it. There's no problem with nss-policy-check.
>>
>> Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
>> Because the test_config() class method only fails for openssh and opensshserver.
>> They can be ignored with an envvar.
>>
diff mbox series

Patch

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index bec55a7c1c..648c8fceb8 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -744,6 +744,7 @@  RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-rng-tools = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-rpcsvc-proto = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-rpm = "Robert Yang <liezhi.yang@windriver.com>"
+RECIPE_MAINTAINER:pn-rpm-sequoia-crypto-policy = "Zoltán Böszörményi <zboszor@gmail.com>"
 RECIPE_MAINTAINER:pn-rsync = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-rt-tests = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-ruby = "Ross Burton <ross.burton@arm.com>"
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
new file mode 100644
index 0000000000..37ace2c78c
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
@@ -0,0 +1,34 @@ 
+SUMMARY = "Crypto policy for rpm-sequoia"
+HOMEPAGE = "https://gitlab.com/redhat-crypto/fedora-crypto-policies/"
+
+LICENSE = "LGPL-2.1-or-later"
+
+LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+DEPENDS = "coreutils-native openssl-native make-native"
+
+inherit allarch python3native
+
+SRC_URI = "git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master"
+
+SRCREV = "032b418a6db842f0eab330eb5909e4604e888728"
+UPSTREAM_CHECK_COMMITS = "1"
+
+S = "${UNPACKDIR}/git"
+
+do_compile () {
+	# Remove most policy variants, leave DEFAULT.pol
+	# It speeds up the build and we only need DEFAULT/rpm-sequoia.
+	rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete
+
+	make ASCIIDOC=echo XSLTPROC=echo
+}
+
+do_install () {
+	install -d -m755 ${D}${datadir}/crypto-policies/back-ends
+	install -m644 ${S}/output/DEFAULT/rpm-sequoia.txt ${D}${datadir}/crypto-policies/back-ends/rpm-sequoia.config
+}
+
+FILES:${PN} = "${datadir}/crypto-policies/back-ends/*"
+
+BBCLASSEXTEND = "native"