On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote: > 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via > lists.openembedded.org írta: > > 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta: > > > On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote: > > > > This ships a crypto policy file for rpm-sequoia. > > > > > > > > Signed-off-by: Zoltán Böszörményi <zbos...@gmail.com> > > > > --- > > > Hi Zoltán, > > > > > > I believe we have a new issue with this version: > > > > > > > python/build-crypto-policies.py --reloadcmds policies output > > > > /tmp/tmpqvyryz80: line 5: Bad configuration option: > > > > pubkeyacceptedalgorithms > > > > /tmp/tmpqvyryz80: line 6: Bad configuration option: > > > > hostbasedacceptedalgorithms > > > > /tmp/tmpqvyryz80: line 8: Bad configuration option: > > > > requiredrsasize > > > > /tmp/tmpqvyryz80: terminating, 3 bad configuration options > > > > There is an error in OpenSSH server generated policy > > > > > > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio > > > > > > > > > > > > Can you have a look at this error please? > > > > I tested the recipe on Fedora 41 with: > > * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and > > * faking uninstalling it by renaming /usr/bin/nss-policy-check > > > > Both worked. > > > > Some of your build hosts where nss was not installed complained > > about executing nss-policy-check unconditionally, which is now > > fixed. > > > > I think this is on a build host with a very old nss version > > installed. > > Can you uninstall it? > > I found an alternative solution but it involves patching out > most of the policy generators: > > ================================================ > $ git diff python/policygenerators/__init__.py > diff --git a/python/policygenerators/__init__.py > b/python/policygenerators/__init__.py > index 0e3013e..180fb2a 100644 > --- a/python/policygenerators/__init__.py > +++ b/python/policygenerators/__init__.py > @@ -3,34 +3,8 @@ > # Copyright (c) 2019 Red Hat, Inc. > # Copyright (c) 2019 Tomáš Mráz <tm...@fedoraproject.org> > > -from .bind import BindGenerator > -from .gnutls import GnuTLSGenerator > -from .java import JavaGenerator > -from .krb5 import KRB5Generator > -from .libreswan import LibreswanGenerator > -from .libssh import LibsshGenerator > -from .nss import NSSGenerator > -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator > -from .openssl import ( > - OpenSSLConfigGenerator, > - OpenSSLFIPSGenerator, > - OpenSSLGenerator, > -) > -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator > +from .sequoia import RPMSequoiaGenerator > > __all__ = [ > - 'BindGenerator', > - 'GnuTLSGenerator', > - 'JavaGenerator', > - 'KRB5Generator', > - 'LibreswanGenerator', > - 'LibsshGenerator', > - 'NSSGenerator', > - 'OpenSSHClientGenerator', > - 'OpenSSHServerGenerator', > - 'OpenSSLConfigGenerator', > - 'OpenSSLFIPSGenerator', > - 'OpenSSLGenerator', > 'RPMSequoiaGenerator', > - 'SequoiaGenerator', > ] > ================================================ > > That should work with this old nss version according to > the log.do_compile output. > > I can't see an easy way to make these imports and list conditional, > so the patch would be "Upstream-Status: Inappropriate". > > Since it should only happen for the native build, the patch can be > > SRC_URI:append:class-native = "..." > > As far as I know, /usr/bin is filtered from target builds but not > from native builds.
We only allow access to things from HOSTTOOLS, nothing else is meant to be used, even for native builds. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211344): https://lists.openembedded.org/g/openembedded-core/message/211344 Mute This Topic: https://lists.openembedded.org/mt/111137778/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
