2025. 02. 07. 11:25 keltezéssel, Richard Purdie írta:
On Thu, 2025-02-06 at 12:45 +0100, Zoltan Boszormenyi via
lists.openembedded.org wrote:
This ships a crypto policy file for rpm-sequoia.
Signed-off-by: Zoltán Böszörményi <zbos...@gmail.com>
---
meta/conf/distro/include/maintainers.inc | 1 +
...1-Make-xsltproc-settable-as-XSLTPROC.patch | 43 +++++++++++++++++++
...002-Don-t-use-hardcoded-python3-path.patch | 41 ++++++++++++++++++
.../rpm-sequoia-crypto-policy_git.bb | 34 +++++++++++++++
4 files changed, 119 insertions(+)
create mode 100644
meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-Make-xsltproc-settable-as-XSLTPROC.patch
create mode 100644
meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0002-Don-t-use-hardcoded-python3-path.patch
create mode 100644
meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
The new recipe doesn't seem to build on musl:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/6/builds/969
https://autobuilder.yoctoproject.org/valkyrie/#/builders/3/builds/985/steps/11/logs/stdio
The problem is not musl per se, it's that one of the
python scripts executes /usr/bin/nss-policy-check
which is part of nss and does not exist on the build host.
This may be patched to be used from PATH.
However, nss is part of meta-openembedded.
Either rpm-sequoia-crypto-policy and rpm-sequoia should
go into meta-openembedded (in which case the signing
self test would rely on meta-openembedded or moved there, too)
or nss must be moved to openembedded-core.
Alternatively, as the least intrusive change, testing the policy
with nss-policy-check can be omitted as a Yocto specific patch
(because we can trust Fedora's own CI for this repository that
does check the validity of policy changes), in which case the
current setup can stay.
What is the preferred way?
FWIW, I tested the last method (patching away testing the policy)
with /usr/bin/nss-policy-check renamed, so executing it would fail.
The recipe was built successfully, with setting TCLIBC to musl even.
The generated policy file is identical to the one seen on Fedora 41.
I will send the v10 series with this change if that's acceptable.
All the other logs below seem to hit the same issue.
and the policy recipe is struggling in world builds such:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/25/builds/958/steps/11/logs/stdio
https://autobuilder.yoctoproject.org/valkyrie/#/builders/59/builds/956/steps/11/logs/stdio
https://autobuilder.yoctoproject.org/valkyrie/#/builders/59/builds/956
https://autobuilder.yoctoproject.org/valkyrie/#/builders/17/builds/887/steps/11/logs/stdio
and in reproducibility testing as a build failure:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/37/builds/993/steps/12/logs/stdio
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#211013):
https://lists.openembedded.org/g/openembedded-core/message/211013
Mute This Topic: https://lists.openembedded.org/mt/111030256/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
