| Message ID | 20250206114547.3441965-1-zboszor@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v9,1/5] rpm-sequoia-crypto-policy: New recipe | expand |
On Thu, 2025-02-06 at 12:45 +0100, Zoltan Boszormenyi via lists.openembedded.org wrote: > This ships a crypto policy file for rpm-sequoia. > > Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > ...1-Make-xsltproc-settable-as-XSLTPROC.patch | 43 +++++++++++++++++++ > ...002-Don-t-use-hardcoded-python3-path.patch | 41 ++++++++++++++++++ > .../rpm-sequoia-crypto-policy_git.bb | 34 +++++++++++++++ > 4 files changed, 119 insertions(+) > create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch > create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch > create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb The new recipe doesn't seem to build on musl: https://autobuilder.yoctoproject.org/valkyrie/#/builders/6/builds/969 https://autobuilder.yoctoproject.org/valkyrie/#/builders/3/builds/985/steps/11/logs/stdio and the policy recipe is struggling in world builds such: https://autobuilder.yoctoproject.org/valkyrie/#/builders/25/builds/958/steps/11/logs/stdio https://autobuilder.yoctoproject.org/valkyrie/#/builders/59/builds/956/steps/11/logs/stdio https://autobuilder.yoctoproject.org/valkyrie/#/builders/59/builds/956 https://autobuilder.yoctoproject.org/valkyrie/#/builders/17/builds/887/steps/11/logs/stdio and in reproducibility testing as a build failure: https://autobuilder.yoctoproject.org/valkyrie/#/builders/37/builds/993/steps/12/logs/stdio Cheers, Richard
2025. 02. 07. 11:25 keltezéssel, Richard Purdie írta: > On Thu, 2025-02-06 at 12:45 +0100, Zoltan Boszormenyi via lists.openembedded.org wrote: >> This ships a crypto policy file for rpm-sequoia. >> >> Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> >> --- >> meta/conf/distro/include/maintainers.inc | 1 + >> ...1-Make-xsltproc-settable-as-XSLTPROC.patch | 43 +++++++++++++++++++ >> ...002-Don-t-use-hardcoded-python3-path.patch | 41 ++++++++++++++++++ >> .../rpm-sequoia-crypto-policy_git.bb | 34 +++++++++++++++ >> 4 files changed, 119 insertions(+) >> create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch >> create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch >> create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb > The new recipe doesn't seem to build on musl: > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/6/builds/969 > https://autobuilder.yoctoproject.org/valkyrie/#/builders/3/builds/985/steps/11/logs/stdio The problem is not musl per se, it's that one of the python scripts executes /usr/bin/nss-policy-check which is part of nss and does not exist on the build host. This may be patched to be used from PATH. However, nss is part of meta-openembedded. Either rpm-sequoia-crypto-policy and rpm-sequoia should go into meta-openembedded (in which case the signing self test would rely on meta-openembedded or moved there, too) or nss must be moved to openembedded-core. Alternatively, as the least intrusive change, testing the policy with nss-policy-check can be omitted as a Yocto specific patch (because we can trust Fedora's own CI for this repository that does check the validity of policy changes), in which case the current setup can stay. What is the preferred way? FWIW, I tested the last method (patching away testing the policy) with /usr/bin/nss-policy-check renamed, so executing it would fail. The recipe was built successfully, with setting TCLIBC to musl even. The generated policy file is identical to the one seen on Fedora 41. I will send the v10 series with this change if that's acceptable. All the other logs below seem to hit the same issue. > and the policy recipe is struggling in world builds such: > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/25/builds/958/steps/11/logs/stdio > https://autobuilder.yoctoproject.org/valkyrie/#/builders/59/builds/956/steps/11/logs/stdio > https://autobuilder.yoctoproject.org/valkyrie/#/builders/59/builds/956 > https://autobuilder.yoctoproject.org/valkyrie/#/builders/17/builds/887/steps/11/logs/stdio > > and in reproducibility testing as a build failure: > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/37/builds/993/steps/12/logs/stdio > > Cheers, > > Richard
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index bec55a7c1c..648c8fceb8 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -744,6 +744,7 @@ RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>" RECIPE_MAINTAINER:pn-rng-tools = "Anuj Mittal <anuj.mittal@intel.com>" RECIPE_MAINTAINER:pn-rpcsvc-proto = "Khem Raj <raj.khem@gmail.com>" RECIPE_MAINTAINER:pn-rpm = "Robert Yang <liezhi.yang@windriver.com>" +RECIPE_MAINTAINER:pn-rpm-sequoia-crypto-policy = "Zoltán Böszörményi <zboszor@gmail.com>" RECIPE_MAINTAINER:pn-rsync = "Yi Zhao <yi.zhao@windriver.com>" RECIPE_MAINTAINER:pn-rt-tests = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-ruby = "Ross Burton <ross.burton@arm.com>" diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch new file mode 100644 index 0000000000..dc57989c2d --- /dev/null +++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch @@ -0,0 +1,43 @@ +From f4adfb74c1f13cbddcbc20b6aa6aebe58956083e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zolt=C3=A1n=20B=C3=B6sz=C3=B6rm=C3=A9nyi?= + <zboszor@gmail.com> +Date: Thu, 6 Feb 2025 12:20:09 +0100 +Subject: [PATCH 1/2] Make xsltproc settable as XSLTPROC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows not building the documentation with: + + make ASCIIDOC=echo XSLTPROC=echo + +Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> +Upstream-Status: Submitted [https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/226] +--- + Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 9d2b5c7..36b3702 100644 +--- a/Makefile ++++ b/Makefile +@@ -15,6 +15,7 @@ NUM_PROCS = $$(getconf _NPROCESSORS_ONLN) + PYVERSION = -3 + DIFFTOOL?=meld + ASCIIDOC?=asciidoc ++XSLTPROC?=xsltproc + ifneq ("$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl)","") + MANPAGEXSL?=$(wildcard /usr/lib/python*/*/asciidoc/resources/docbook-xsl/manpage.xsl) + else +@@ -134,7 +135,7 @@ clean: + + %: %.txt + $(ASCIIDOC) -v -d manpage -b docbook $< +- xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml ++ $(XSLTPROC) --nonet -o $@ ${MANPAGEXSL} $@.xml + + dist: + rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies +-- +2.48.1 + diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch new file mode 100644 index 0000000000..a34f3c3a3b --- /dev/null +++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch @@ -0,0 +1,41 @@ +From 47e70118dbd491a2aaf5669dc93e3f1471d19510 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zolt=C3=A1n=20B=C3=B6sz=C3=B6rm=C3=A9nyi?= + <zboszor@gmail.com> +Date: Thu, 6 Feb 2025 12:00:36 +0100 +Subject: [PATCH 2/2] Don't use hardcoded python3 path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This can help with cross-compiling. + +Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> +Upstream-Status: Submitted [https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/226] +--- + python/build-crypto-policies.py | 2 +- + python/update-crypto-policies.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py +index a08ece2..a75b6f6 100755 +--- a/python/build-crypto-policies.py ++++ b/python/build-crypto-policies.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 ++#!/usr/bin/env python3 + + # SPDX-License-Identifier: LGPL-2.1-or-later + +diff --git a/python/update-crypto-policies.py b/python/update-crypto-policies.py +index 97487dc..935bc9e 100755 +--- a/python/update-crypto-policies.py ++++ b/python/update-crypto-policies.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 ++#!/usr/bin/env python3 + + # SPDX-License-Identifier: LGPL-2.1-or-later + +-- +2.48.1 + diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb new file mode 100644 index 0000000000..e175a5d5ef --- /dev/null +++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb @@ -0,0 +1,34 @@ +SUMMARY = "Crypto policy for rpm-sequoia" +HOMEPAGE = "https://gitlab.com/redhat-crypto/fedora-crypto-policies/" + +LICENSE = "LGPL-2.1-or-later" + +LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343" + +DEPENDS = "coreutils-native openssl-native make-native" + +inherit allarch python3native + +SRC_URI = " \ + git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master \ + file://0001-Make-xsltproc-settable-as-XSLTPROC.patch \ + file://0002-Don-t-use-hardcoded-python3-path.patch \ +" + +SRCREV = "445ecc87af202c8fc9249b453f41c3ac4553ffbd" +UPSTREAM_CHECK_COMMITS = "1" + +S = "${UNPACKDIR}/git" + +do_compile () { + make ASCIIDOC=echo XSLTPROC=echo +} + +do_install () { + mkdir -p ${D}${datadir}/crypto-policies/back-ends + install -m644 ${S}/output/DEFAULT/rpm-sequoia.txt ${D}${datadir}/crypto-policies/back-ends/rpm-sequoia.config +} + +FILES:${PN} = "${datadir}/crypto-policies/back-ends/*" + +BBCLASSEXTEND = "native"
This ships a crypto policy file for rpm-sequoia. Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> --- meta/conf/distro/include/maintainers.inc | 1 + ...1-Make-xsltproc-settable-as-XSLTPROC.patch | 43 +++++++++++++++++++ ...002-Don-t-use-hardcoded-python3-path.patch | 41 ++++++++++++++++++ .../rpm-sequoia-crypto-policy_git.bb | 34 +++++++++++++++ 4 files changed, 119 insertions(+) create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb