Re: [OE-core][PATCH v12 1/5] rpm-sequoia-crypto-policy: New recipe

Thu, 13 Feb 2025 06:40:50 -0800 

2025. 02. 13. 15:32 keltezéssel, Richard Purdie írta:

On Thu, 2025-02-13 at 15:20 +0100, Böszörményi Zoltán wrote:

2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:

On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:

This ships a crypto policy file for rpm-sequoia.

Signed-off-by: Zoltán Böszörményi <zbos...@gmail.com>
---

Hi Zoltán,

I believe we have a new issue with this version:


python/build-crypto-policies.py --reloadcmds policies output
/tmp/tmpqvyryz80: line 5: Bad configuration option:
pubkeyacceptedalgorithms
/tmp/tmpqvyryz80: line 6: Bad configuration option:
hostbasedacceptedalgorithms
/tmp/tmpqvyryz80: line 8: Bad configuration option:
requiredrsasize
/tmp/tmpqvyryz80: terminating, 3 bad configuration options
There is an error in OpenSSH server generated policy

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio

Can you have a look at this error please?

I tested the recipe on Fedora 41 with:
* nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
* faking uninstalling it by renaming /usr/bin/nss-policy-check

Both worked.

Some of your build hosts where nss was not installed complained
about executing nss-policy-check unconditionally, which is now fixed.

I think this is on a build host with a very old nss version
installed.
Can you uninstall it?

We aim to filter the environment and work the same way in all cases so
this sounds like host contamination.

I think we may have to just stop it using it from the host
unconditionally.


It's not used unconditionally from the host anymore.
It's detected via shutil.which() so if it's in PATH, it is used. See:
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/032b418a6db842f0eab330eb5909e4604e888728


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#211342): 
https://lists.openembedded.org/g/openembedded-core/message/211342
Mute This Topic: https://lists.openembedded.org/mt/111137778/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to