On Thu, 2025-02-13 at 16:14 +0100, Böszörményi Zoltán wrote: > 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta: > > On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote: > > > 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via > > > lists.openembedded.org írta: > > > > 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta: > > > > > On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote: > > > > > > This ships a crypto policy file for rpm-sequoia. > > > > > > > > > > > > Signed-off-by: Zoltán Böszörményi <zbos...@gmail.com> > > > > > > --- > > > > > Hi Zoltán, > > > > > > > > > > I believe we have a new issue with this version: > > > > > > > > > > > python/build-crypto-policies.py --reloadcmds policies > > > > > > output > > > > > > /tmp/tmpqvyryz80: line 5: Bad configuration option: > > > > > > pubkeyacceptedalgorithms > > > > > > /tmp/tmpqvyryz80: line 6: Bad configuration option: > > > > > > hostbasedacceptedalgorithms > > > > > > /tmp/tmpqvyryz80: line 8: Bad configuration option: > > > > > > requiredrsasize > > > > > > /tmp/tmpqvyryz80: terminating, 3 bad configuration options > > > > > > There is an error in OpenSSH server generated policy > > > > > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio > > > > > > > > > > > > > > > > > > > > Can you have a look at this error please? > > > > I tested the recipe on Fedora 41 with: > > > > * nss 3.107.0 installed with /usr/bin/nss-policy-check present, > > > > and > > > > * faking uninstalling it by renaming /usr/bin/nss-policy-check > > > > > > > > Both worked. > > > > > > > > Some of your build hosts where nss was not installed complained > > > > about executing nss-policy-check unconditionally, which is now > > > > fixed. > > > > > > > > I think this is on a build host with a very old nss version > > > > installed. > > > > Can you uninstall it? > > > I found an alternative solution but it involves patching out > > > most of the policy generators: > > > > > > ================================================ > > > $ git diff python/policygenerators/__init__.py > > > diff --git a/python/policygenerators/__init__.py > > > b/python/policygenerators/__init__.py > > > index 0e3013e..180fb2a 100644 > > > --- a/python/policygenerators/__init__.py > > > +++ b/python/policygenerators/__init__.py > > > @@ -3,34 +3,8 @@ > > > # Copyright (c) 2019 Red Hat, Inc. > > > # Copyright (c) 2019 Tomáš Mráz <tm...@fedoraproject.org> > > > > > > -from .bind import BindGenerator > > > -from .gnutls import GnuTLSGenerator > > > -from .java import JavaGenerator > > > -from .krb5 import KRB5Generator > > > -from .libreswan import LibreswanGenerator > > > -from .libssh import LibsshGenerator > > > -from .nss import NSSGenerator > > > -from .openssh import OpenSSHClientGenerator, > > > OpenSSHServerGenerator > > > -from .openssl import ( > > > - OpenSSLConfigGenerator, > > > - OpenSSLFIPSGenerator, > > > - OpenSSLGenerator, > > > -) > > > -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator > > > +from .sequoia import RPMSequoiaGenerator > > > > > > __all__ = [ > > > - 'BindGenerator', > > > - 'GnuTLSGenerator', > > > - 'JavaGenerator', > > > - 'KRB5Generator', > > > - 'LibreswanGenerator', > > > - 'LibsshGenerator', > > > - 'NSSGenerator', > > > - 'OpenSSHClientGenerator', > > > - 'OpenSSHServerGenerator', > > > - 'OpenSSLConfigGenerator', > > > - 'OpenSSLFIPSGenerator', > > > - 'OpenSSLGenerator', > > > 'RPMSequoiaGenerator', > > > - 'SequoiaGenerator', > > > ] > > > ================================================ > > > > > > That should work with this old nss version according to > > > the log.do_compile output. > > > > > > I can't see an easy way to make these imports and list > > > conditional, > > > so the patch would be "Upstream-Status: Inappropriate". > > > > > > Since it should only happen for the native build, the patch can > > > be > > > > > > SRC_URI:append:class-native = "..." > > > > > > As far as I know, /usr/bin is filtered from target builds but not > > > from native builds. > > We only allow access to things from HOSTTOOLS, nothing else is > > meant to > > be used, even for native builds. > > As I wrote, I misdiagnosed it. There's no problem with nss-policy- > check. > > Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd? > Because the test_config() class method only fails for openssh and > opensshserver. > They can be ignored with an envvar.
Yes, those could be pulled in as we use them in qemu testing so we should probably set the envvar... Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211348): https://lists.openembedded.org/g/openembedded-core/message/211348 Mute This Topic: https://lists.openembedded.org/mt/111137778/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
