2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta:
On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote:
2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via
lists.openembedded.org írta:
2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
This ships a crypto policy file for rpm-sequoia.
Signed-off-by: Zoltán Böszörményi <zbos...@gmail.com>
---
Hi Zoltán,
I believe we have a new issue with this version:
python/build-crypto-policies.py --reloadcmds policies output
/tmp/tmpqvyryz80: line 5: Bad configuration option:
pubkeyacceptedalgorithms
/tmp/tmpqvyryz80: line 6: Bad configuration option:
hostbasedacceptedalgorithms
/tmp/tmpqvyryz80: line 8: Bad configuration option:
requiredrsasize
/tmp/tmpqvyryz80: terminating, 3 bad configuration options
There is an error in OpenSSH server generated policy
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
Can you have a look at this error please?
I tested the recipe on Fedora 41 with:
* nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
* faking uninstalling it by renaming /usr/bin/nss-policy-check
Both worked.
Some of your build hosts where nss was not installed complained
about executing nss-policy-check unconditionally, which is now
fixed.
I think this is on a build host with a very old nss version
installed.
Can you uninstall it?
I found an alternative solution but it involves patching out
most of the policy generators:
================================================
$ git diff python/policygenerators/__init__.py
diff --git a/python/policygenerators/__init__.py
b/python/policygenerators/__init__.py
index 0e3013e..180fb2a 100644
--- a/python/policygenerators/__init__.py
+++ b/python/policygenerators/__init__.py
@@ -3,34 +3,8 @@
# Copyright (c) 2019 Red Hat, Inc.
# Copyright (c) 2019 Tomáš Mráz <tm...@fedoraproject.org>
-from .bind import BindGenerator
-from .gnutls import GnuTLSGenerator
-from .java import JavaGenerator
-from .krb5 import KRB5Generator
-from .libreswan import LibreswanGenerator
-from .libssh import LibsshGenerator
-from .nss import NSSGenerator
-from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
-from .openssl import (
- OpenSSLConfigGenerator,
- OpenSSLFIPSGenerator,
- OpenSSLGenerator,
-)
-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
+from .sequoia import RPMSequoiaGenerator
__all__ = [
- 'BindGenerator',
- 'GnuTLSGenerator',
- 'JavaGenerator',
- 'KRB5Generator',
- 'LibreswanGenerator',
- 'LibsshGenerator',
- 'NSSGenerator',
- 'OpenSSHClientGenerator',
- 'OpenSSHServerGenerator',
- 'OpenSSLConfigGenerator',
- 'OpenSSLFIPSGenerator',
- 'OpenSSLGenerator',
'RPMSequoiaGenerator',
- 'SequoiaGenerator',
]
================================================
That should work with this old nss version according to
the log.do_compile output.
I can't see an easy way to make these imports and list conditional,
so the patch would be "Upstream-Status: Inappropriate".
Since it should only happen for the native build, the patch can be
SRC_URI:append:class-native = "..."
As far as I know, /usr/bin is filtered from target builds but not
from native builds.
We only allow access to things from HOSTTOOLS, nothing else is meant to
be used, even for native builds.
As I wrote, I misdiagnosed it. There's no problem with nss-policy-check.
Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd?
Because the test_config() class method only fails for openssh and opensshserver.
They can be ignored with an envvar.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#211346):
https://lists.openembedded.org/g/openembedded-core/message/211346
Mute This Topic: https://lists.openembedded.org/mt/111137778/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
