Re: [yocto] [meta-security][PATCH 2/2] sssd: add DISTRO_FEATURE sssd
On 4/6/19 12:06 PM, Adrian Bunk wrote: > On Sat, Apr 06, 2019 at 05:54:35AM +0530, akuster808 wrote: >> >> On 4/5/19 1:49 PM, Adrian Bunk wrote: >>> On Fri, Apr 05, 2019 at 11:05:17AM +0530, akuster808 wrote: On 4/5/19 10:29 AM, Adrian Bunk wrote: > On Fri, Apr 05, 2019 at 03:47:46AM +0530, Armin Kuster wrote: >> Signed-off-by: Armin Kuster >> --- >> recipes-security/sssd/sssd_1.16.4.bb | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/recipes-security/sssd/sssd_1.16.4.bb >> b/recipes-security/sssd/sssd_1.16.4.bb >> index 34bc8c8..d6a308c 100644 >> --- a/recipes-security/sssd/sssd_1.16.4.bb >> +++ b/recipes-security/sssd/sssd_1.16.4.bb >> @@ -16,7 +16,7 @@ SRC_URI[sha256sum] = >> "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f >> >> inherit autotools pkgconfig gettext python-dir distro_features_check >> >> -REQUIRED_DISTRO_FEATURES = "pam" >> +REQUIRED_DISTRO_FEATURES = "pam sssd" >> ... > Adding a distro feature for a leaf package is wrong. Is it a naming issue or something else? I would like to understand so I may avoid making the same mistake. >>> This has nothing to do with naming. >>> It is about getting rid of workarounds by fixing the root cause, >>> instead of adding more and more layers of workarounds. >>> >>> A DISTRO_FEATURE is for cases where PACKAGECONFIG in many recipes should >>> be toggled with one setting, or the setting has to be the same in several >>> recipes. >> The definition is old and needs to be updated to modern time. There a >> plenty of recipes that require libraries the we ended up using this >> mechanism. Look at the X11 situations. The sssd requires PAM but there >> is no PAM config option supported in the recipe so I should remove PAM >> to then? > X11 and PAM are low-level libraries. > > A user might choose to build a distribution without X11 support or > without PAM support, and there is no better solution for this. > > It is not intended for temporary quick hacks. > >>> DISTRO_FEATURES is not appropriate to guard a quick hack workaround for >>> breakage caused by another workaround. >> Its being used in the case of mali support. So I do see value in able >> to use this mechanism in those cases. > What are you referring to here? > >> I do have another option and that is to supply the previous libldb. This >> I know is standard practice for other layers. > I actually wonder why sssd currently requires libldb, > it does not DEPEND on it so is not built against it. Its hard coded in the configure. it is in the DEPENDs list in the recipe. > >>> The problem at hand is that libldb in meta-openembedded was upgraded to >>> a version not compatible with the version of samba in meta-openembedded. >> And that should not have been allowed IMHO. > 0001-ldb-Refuse-to-build-Samba-against-a-newer-minor-vers.patch in samba > seems to have been added to prevent exactly this in the future. > >> What is even worse, one can >> not install libldb onto a system without seen the same issues so it >> appears no one is using it. > samba uses the internal version and for sssd it is a non-default > PACKAGECONFIG. Correct. > >>> As workaroud the libldb shipped in samba was used and installed by >>> the samba recipe. >>> >>> The proper fix would be to upgrade samba to 4.9 or 4.10, >>> and use the external libldb again. >>> This would make all problems caused by having two different versions >>> of libldb disappear. >>> >>> If this is not possible, it is likely samba that should stop just >>> shipping the (older versions of) the conflicting binaries for now. >>> >>> In a semi-related note, the current samba is a pretty outdated even for >>> the 4.8 branch and misses several CVE fixes. >> Make you wonder if folks are using samba. > using != maintaining > > Users tend to use whatever is provided by a stable series, > and trust that this is properly security supported. > > They cannot even notice that samba has not been updated for warrior > before warrior becomes a stable series and they start using it. > > Creating an automated regular report based on cve_check for master and > all supported stable series for several layers might be easy enough. > > Currently the output would be depressing for master and worse > for stable branches. > > Actually providing security support by providing properly tested fixes > for master and 2 supported stable series would be full-time work for > several people. yep. Late we have had 3 stable for a short period while the oldest on gets it last dot release. Thanks for you input and feedback kind regards, - Armin > >> - armin > cu > Adrian > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] QA cycle report for 2.7 M3 RC1
On Tue, 2 Apr 2019 at 20:33, wrote: > > [15] Bug 13257 - [2.7 M3 rc1] python3 ptest facing timeout issue > > https://bugzilla.yoctoproject.org/show_bug.cgi?id=13257 > > I'm hoping a patch from Ross in master fixes this, need to retest ptest > with this applied. Sadly I have narrowed this down to the 5.0 kernel update. More information in the bug, would be good to have this independently confirmed. Updating python to 3.7.3 does not help. Alex -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] clamav: freshclam need bind to run
Add it to the rdepends for that package
Signed-off-by: Armin Kuster
---
recipes-security/clamav/clamav_0.99.4.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/recipes-security/clamav/clamav_0.99.4.bb
b/recipes-security/clamav/clamav_0.99.4.bb
index 6219d9e..dbe903f 100644
--- a/recipes-security/clamav/clamav_0.99.4.bb
+++ b/recipes-security/clamav/clamav_0.99.4.bb
@@ -152,3 +152,5 @@ RCONFLICTS_${PN} += "${PN}-systemd"
SYSTEMD_SERVICE_${PN} = "${BPN}.service"
RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo
clamav-freshclam clamav-libclamav"
+
+RDEPENDS_freshclam = "bind"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH] clamav: freshclam need bind to run
On Sat, Apr 06, 2019 at 08:15:40PM +0530, Armin Kuster wrote:
> Add it to the rdepends for that package
>
> Signed-off-by: Armin Kuster
> ---
> recipes-security/clamav/clamav_0.99.4.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/recipes-security/clamav/clamav_0.99.4.bb
> b/recipes-security/clamav/clamav_0.99.4.bb
> index 6219d9e..dbe903f 100644
> --- a/recipes-security/clamav/clamav_0.99.4.bb
> +++ b/recipes-security/clamav/clamav_0.99.4.bb
> @@ -152,3 +152,5 @@ RCONFLICTS_${PN} += "${PN}-systemd"
> SYSTEMD_SERVICE_${PN} = "${BPN}.service"
>
> RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo
> clamav-freshclam clamav-libclamav"
> +
> +RDEPENDS_freshclam = "bind"
freshclam depending on a DNS server looks very wrong.
What is the actual problem?
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH] clamav: freshclam need bind to run
sent the wrong version. v2 later
Ill deal with it tomorrow after some much need sleep
-armin
On 4/6/19 8:15 PM, Armin Kuster wrote:
> Add it to the rdepends for that package
>
> Signed-off-by: Armin Kuster
> ---
> recipes-security/clamav/clamav_0.99.4.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/recipes-security/clamav/clamav_0.99.4.bb
> b/recipes-security/clamav/clamav_0.99.4.bb
> index 6219d9e..dbe903f 100644
> --- a/recipes-security/clamav/clamav_0.99.4.bb
> +++ b/recipes-security/clamav/clamav_0.99.4.bb
> @@ -152,3 +152,5 @@ RCONFLICTS_${PN} += "${PN}-systemd"
> SYSTEMD_SERVICE_${PN} = "${BPN}.service"
>
> RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo
> clamav-freshclam clamav-libclamav"
> +
> +RDEPENDS_freshclam = "bind"
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security[v2]][PATCH] clamav: freshclam need bind to run
Add it to the rdepends for that package
[v2]
v1 was sent with being first refreshed.
fixes:
ClamAV update process started at Sat Apr 6 14:59:25 2019
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
ERROR: Can't get information about database.clamav.net: Temporary failure in
name resolution
ERROR: Can't download main.cvd from database.clamav.net
Giving up on database.clamav.net...
because:
Use DNS to verify virus database version. Freshclam uses DNS TXT records
to verify database and software versions and it gets that support from
bind.
Signed-off-by: Armin Kuster
---
recipes-security/clamav/clamav_0.99.4.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-security/clamav/clamav_0.99.4.bb
b/recipes-security/clamav/clamav_0.99.4.bb
index d3295db..647e572 100644
--- a/recipes-security/clamav/clamav_0.99.4.bb
+++ b/recipes-security/clamav/clamav_0.99.4.bb
@@ -152,3 +152,4 @@ RCONFLICTS_${PN} += "${PN}-systemd"
SYSTEMD_SERVICE_${PN} = "${BPN}.service"
RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo
clamav-freshclam clamav-libclamav"
+RDEPENDS_${PN}-freshclam = "bind"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH] clamav: freshclam need bind to run
On 4/6/19 8:31 PM, Adrian Bunk wrote:
> On Sat, Apr 06, 2019 at 08:15:40PM +0530, Armin Kuster wrote:
>> Add it to the rdepends for that package
>>
>> Signed-off-by: Armin Kuster
>> ---
>> recipes-security/clamav/clamav_0.99.4.bb | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/recipes-security/clamav/clamav_0.99.4.bb
>> b/recipes-security/clamav/clamav_0.99.4.bb
>> index 6219d9e..dbe903f 100644
>> --- a/recipes-security/clamav/clamav_0.99.4.bb
>> +++ b/recipes-security/clamav/clamav_0.99.4.bb
>> @@ -152,3 +152,5 @@ RCONFLICTS_${PN} += "${PN}-systemd"
>> SYSTEMD_SERVICE_${PN} = "${BPN}.service"
>>
>> RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo
>> clamav-freshclam clamav-libclamav"
>> +
>> +RDEPENDS_freshclam = "bind"
> freshclam depending on a DNS server looks very wrong.
got talk to clamav folks then.
>
> What is the actual problem?
ClamAV update process started at Sat Apr 6 14:59:25 2019
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
ERROR: Can't get information about database.clamav.net: Temporary failure in
name resolution
ERROR: Can't download main.cvd from database.clamav.net
Giving up on database.clamav.net...
because
Use DNS to verify virus database version. Freshclam uses DNS TXT records
to verify database and software versions
therefor I am including bind.
- Armin
> cu
> Adrian
>
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] clamav: fix llvm reference version
llvm8.0 does not exist. dropped the version part.
Signed-off-by: Armin Kuster
---
recipes-security/clamav/clamav_0.99.4.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-security/clamav/clamav_0.99.4.bb
b/recipes-security/clamav/clamav_0.99.4.bb
index 9fee831..2067f2d 100644
--- a/recipes-security/clamav/clamav_0.99.4.bb
+++ b/recipes-security/clamav/clamav_0.99.4.bb
@@ -37,7 +37,7 @@ PACKAGECONFIG ?= "ncurses openssl bz2 zlib llvm"
PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "",
d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd',
'systemd', '', d)}"
-PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic
--disable-llvm, ,llvm8.0"
+PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic
--disable-llvm, ,llvm"
PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre"
PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2,"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] libldb: add waf-cross-answeres
Signed-off-by: Armin Kuster --- files/waf-cross-answers/README| 3 ++ .../cross-answers-aarch64.txt | 39 ++ .../cross-answers-aarch64_be.txt | 39 ++ files/waf-cross-answers/cross-answers-arm.txt | 40 +++ .../waf-cross-answers/cross-answers-armeb.txt | 40 +++ .../waf-cross-answers/cross-answers-i586.txt | 40 +++ .../waf-cross-answers/cross-answers-i686.txt | 40 +++ .../waf-cross-answers/cross-answers-mips.txt | 40 +++ .../cross-answers-mips64.txt | 39 ++ .../cross-answers-mips64el.txt| 39 ++ .../cross-answers-mipsel.txt | 40 +++ .../cross-answers-powerpc.txt | 40 +++ .../cross-answers-powerpc64.txt | 40 +++ .../cross-answers-riscv64.txt | 39 ++ .../cross-answers-x86_64.txt | 39 ++ 15 files changed, 557 insertions(+) create mode 100644 files/waf-cross-answers/README create mode 100644 files/waf-cross-answers/cross-answers-aarch64.txt create mode 100644 files/waf-cross-answers/cross-answers-aarch64_be.txt create mode 100644 files/waf-cross-answers/cross-answers-arm.txt create mode 100644 files/waf-cross-answers/cross-answers-armeb.txt create mode 100644 files/waf-cross-answers/cross-answers-i586.txt create mode 100644 files/waf-cross-answers/cross-answers-i686.txt create mode 100644 files/waf-cross-answers/cross-answers-mips.txt create mode 100644 files/waf-cross-answers/cross-answers-mips64.txt create mode 100644 files/waf-cross-answers/cross-answers-mips64el.txt create mode 100644 files/waf-cross-answers/cross-answers-mipsel.txt create mode 100644 files/waf-cross-answers/cross-answers-powerpc.txt create mode 100644 files/waf-cross-answers/cross-answers-powerpc64.txt create mode 100644 files/waf-cross-answers/cross-answers-riscv64.txt create mode 100644 files/waf-cross-answers/cross-answers-x86_64.txt diff --git a/files/waf-cross-answers/README b/files/waf-cross-answers/README new file mode 100644 index 000..dda45c5 --- /dev/null +++ b/files/waf-cross-answers/README @@ -0,0 +1,3 @@ +The files in this directory are cross answers files +used by waf-samba.bbclass, please see waf-samba.bbclass +for details about how they are used. diff --git a/files/waf-cross-answers/cross-answers-aarch64.txt b/files/waf-cross-answers/cross-answers-aarch64.txt new file mode 100644 index 000..1023f6a --- /dev/null +++ b/files/waf-cross-answers/cross-answers-aarch64.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for C99 vsnprintf: "1" +Checking for HAVE_SHARED_MMAP: OK +Checking for HAVE_MREMAP: OK +Checking for HAVE_SECURE_MKSTEMP: OK +Checking for HAVE_IFACE_GETIFADDRS: NO +Checking for HAVE_IFACE_IFCONF: NO +Checking for HAVE_IFACE_IFREQ: NO +Checking for large file support without additional flags: OK +Checking for HAVE_INCOHERENT_MMAP: NO +Checking value of NSIG: "65" +Checking value of _NSIG: "65" +Checking value of SIGRTMAX: "64" +Checking value of SIGRTMIN: "34" +Checking whether the WRFILE -keytab is supported: OK +Checking for kernel change notify support: OK +Checking for Linux kernel oplocks: OK +Checking for kernel share modes: OK +Checking whether POSIX capabilities are available: OK +Checking if can we convert from CP850 to UCS-2LE: OK +Checking if can we convert from UTF-8 to UCS-2LE: OK +vfs_fileid checking for statfs() and struct statfs.f_fsid: OK +Checking whether we can use Linux thread-specific credentials: OK +Checking whether fcntl locking is available: OK +Checking for the maximum value of the 'time_t' type: OK +Checking whether the realpath function allows a NULL argument: OK +Checking for ftruncate extend: OK +getcwd takes a NULL argument: OK +Checking for small off_t: NO +Checking whether blkcnt_t is 32 bit: NO +Checking whether blkcnt_t is 64 bit: OK +Checking whether fcntl lock supports open file description locks: OK diff --git a/files/waf-cross-answers/cross-answers-aarch64_be.txt b/files/waf-cross-answers/cross-answers-aarch64_be.txt new file mode 100644 index 000..1023f6a --- /dev/null +++ b/files/waf-cross-answers/cross-answers-aarch64_be.txt @@ -0,0 +1,39 @@ +Checking uname sysname type: "Linux" +Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" +Checking simple C program: "hello world" +rpath library support: OK +-Wl,--version-script support: OK +Checking getconf LFS_CFLAGS: NO +Checking correct behavior of strtoll: NO +Checking for working strptime: OK +Checking for
Re: [yocto] [meta-security][PATCH] clamav: freshclam need bind to run
On Sun, Apr 07, 2019 at 01:38:38AM +0530, akuster808 wrote:
>
>
> On 4/6/19 8:31 PM, Adrian Bunk wrote:
> > On Sat, Apr 06, 2019 at 08:15:40PM +0530, Armin Kuster wrote:
> >> Add it to the rdepends for that package
> >>
> >> Signed-off-by: Armin Kuster
> >> ---
> >> recipes-security/clamav/clamav_0.99.4.bb | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/recipes-security/clamav/clamav_0.99.4.bb
> >> b/recipes-security/clamav/clamav_0.99.4.bb
> >> index 6219d9e..dbe903f 100644
> >> --- a/recipes-security/clamav/clamav_0.99.4.bb
> >> +++ b/recipes-security/clamav/clamav_0.99.4.bb
> >> @@ -152,3 +152,5 @@ RCONFLICTS_${PN} += "${PN}-systemd"
> >> SYSTEMD_SERVICE_${PN} = "${BPN}.service"
> >>
> >> RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo
> >> clamav-freshclam clamav-libclamav"
> >> +
> >> +RDEPENDS_freshclam = "bind"
> > freshclam depending on a DNS server looks very wrong.
> got talk to clamav folks then.
>
> >
> > What is the actual problem?
>
> ClamAV update process started at Sat Apr 6 14:59:25 2019
> WARNING: Can't query current.cvd.clamav.net
> WARNING: Invalid DNS reply. Falling back to HTTP mode.
> ERROR: Can't get information about database.clamav.net: Temporary failure in
> name resolution
> ERROR: Can't download main.cvd from database.clamav.net
> Giving up on database.clamav.net...
>
> because
>
> Use DNS to verify virus database version. Freshclam uses DNS TXT records
> to verify database and software versions
>
> therefor I am including bind.
freshclam needing DNS information makes sense, which means it must be
configured how to access a DNS server.
On the local machine you need only DNS client funtionality,
just like every user needs for a web browser.
Forcing installation of a DNS server is not the correct solution
when the actual problem is just a configuration issue on the
machine where you were trying it.
> - Armin
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH] clamav: freshclam need bind to run
On 4/7/19 10:42 AM, Adrian Bunk wrote:
> On Sun, Apr 07, 2019 at 01:38:38AM +0530, akuster808 wrote:
>>
>> On 4/6/19 8:31 PM, Adrian Bunk wrote:
>>> On Sat, Apr 06, 2019 at 08:15:40PM +0530, Armin Kuster wrote:
Add it to the rdepends for that package
Signed-off-by: Armin Kuster
---
recipes-security/clamav/clamav_0.99.4.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/recipes-security/clamav/clamav_0.99.4.bb
b/recipes-security/clamav/clamav_0.99.4.bb
index 6219d9e..dbe903f 100644
--- a/recipes-security/clamav/clamav_0.99.4.bb
+++ b/recipes-security/clamav/clamav_0.99.4.bb
@@ -152,3 +152,5 @@ RCONFLICTS_${PN} += "${PN}-systemd"
SYSTEMD_SERVICE_${PN} = "${BPN}.service"
RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo
clamav-freshclam clamav-libclamav"
+
+RDEPENDS_freshclam = "bind"
>>> freshclam depending on a DNS server looks very wrong.
>> got talk to clamav folks then.
>>
>>> What is the actual problem?
>> ClamAV update process started at Sat Apr 6 14:59:25 2019
>> WARNING: Can't query current.cvd.clamav.net
>> WARNING: Invalid DNS reply. Falling back to HTTP mode.
>> ERROR: Can't get information about database.clamav.net: Temporary failure in
>> name resolution
>> ERROR: Can't download main.cvd from database.clamav.net
>> Giving up on database.clamav.net...
>>
>> because
>>
>> Use DNS to verify virus database version. Freshclam uses DNS TXT records
>> to verify database and software versions
>>
>> therefor I am including bind.
> freshclam needing DNS information makes sense, which means it must be
> configured how to access a DNS server.
>
> On the local machine you need only DNS client funtionality,
> just like every user needs for a web browser.
>
> Forcing installation of a DNS server is not the correct solution
> when the actual problem is just a configuration issue on the
> machine where you were trying it.
So I can expect a patch to provide such configuration. I would like to
see how you would solve this.
Maybe an FAQ we can add to the layer for this package?
- armin
>> - Armin
> cu
> Adrian
>
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
