[yocto] Minutes: Yocto Project Technical Team Meeting, 8/27/2019
Minutes: Yocto Project Technical Team Meeting When: Tuesday, August 27, 2019 8:00 AM-9:00 AM 1. Attending: Richard, Armin, Michael, David, TrevorW, Tim, Vineela, Randy, Joshua, Manju, Alex Kanavin, Scott, TrevorG, Bruce * Richard: General notes - Just sent weekly update "[OE-core] Yocto Project Status WW35'19" - M3 is over, we are now in feature freeze for M4 - Patch merge in progress, backlog for M3 - Systemd (as default) versus SysVinit still in progress - Removal of LSB, test builder not set up yet - Many patches for hash equivalency - Joshua has many patches for reproducible builds (tested without sstate), problems with existing sstate. Richard: always build from scratch. * Manju: status of patch set for devtool? Richard is reviewing them. * AR: Triage Team: provide list of respective bugs to Xilinx for review * Manju: Is WIC the only way to create images to SD Card? Richard: WIC is preferred - any errors in WIC should be filed as defects. Manju: ramfs preparation has race condition. Scott: meta-raspberrypi did use "mkimg" but now has WIC support. * Manju: Status of Nathan's patches? Richard needs time to review them. * Scott: The 2.8 list versus Python2 status? Notes that python2 goes unsupported this December. Richard: people currently treating this as a low priority (but will probably heighten when we get closer). Bruce has patch set for the perf/kernel, and this will be a big step forward to removing Python2. Richard: someone should do a scan on the remaining Python2 usage. Question: libftd? Richard: no, low priority. High priority are target tools over host/build tools. * Bruce: will send 5.2 kernel and libc headers. Will check default BSPs. * Richard: will need to merge each patch set in isolation given the number of merge failures he has been encountering. * Manju: Is there a way to choose system versus SysVinit? Richard: yes there is an init manager variable that you can set. We are not dropping SysVinit but switch to system as default. Poky-init, poky-alternate. Richard: 4 different variants - tiny/busybox/..., system size constraints. Notes from ELC BOF: * Joshua: a lot of people want an LTS. Armin: specifically they like CVEs applied/backported to stable branches. Richard: people want no changes but all the features. Joshua: LTS to help convince silicon vendors to stabilize on releases (e.g. kernel has LTS releases). Richard: kernel has 4 releases a year where YP has two, so cadence is good. We could do a major/minor release designation but then which release gets which designation? Manju: mostly looking for CVE patches for last 2-3 years. Khem's general answer was to "send patches", not just let other people do the work. * David: Questions about low activity on the security mailing list. Richard: most CVE patches are managed via normal patches. Armin: the person was looking for a security team. Tim: is he volunteering? Richard: we do fix the important stuff. David will follow up on team question. * Manju: has a sstate-cache paper, covering their 600 gbyte sstate-cache. Richard: excellent paper for ELCE YP summit. * Richard out next Tuesday. Stephen still out next week. - David -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] libseccomp: build static library always
From: Stefan Agner
Always build static library. This is required e.g. for runc from
meta-virtualization in its default configuration.
Signed-off-by: Stefan Agner
---
recipes-security/libseccomp/libseccomp_2.4.1.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/recipes-security/libseccomp/libseccomp_2.4.1.bb
b/recipes-security/libseccomp/libseccomp_2.4.1.bb
index dba1be5..37a7982 100644
--- a/recipes-security/libseccomp/libseccomp_2.4.1.bb
+++ b/recipes-security/libseccomp/libseccomp_2.4.1.bb
@@ -17,6 +17,8 @@ inherit autotools-brokensep pkgconfig ptest
PACKAGECONFIG ??= ""
PACKAGECONFIG[python] = "--enable-python, --disable-python, python"
+DISABLE_STATIC = ""
+
do_compile_ptest() {
oe_runmake -C tests check-build
}
--
2.20.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/4] packagegroup-core-security-ptest: only included if ptest is enabled
update python package names
Signed-off-by: Armin Kuster
---
.../packagegroup/packagegroup-core-security-ptest.bb| 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
index ddcf208..39873b8 100644
--- a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
@@ -3,6 +3,10 @@ LICENSE = "MIT"
LIC_FILES_CHKSUM =
"file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+inherit distro_features_check
+
+REQUIRED_DISTRO_FEATURES = "ptest"
+
PACKAGES = "\
${PN} \
"
@@ -15,7 +19,7 @@ RDEPENDS_${PN} = " \
samhain-standalone-ptest \
keyutils-ptest \
libseccomp-ptest \
-python-scapy-ptest \
+python3-scapy-ptest \
suricata-ptest \
tripwire-ptest \
python-fail2ban-ptest \
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/4] packagegroup-core-security: update package name
Also remove tpm packagegroup reference
Signed-off-by: Armin Kuster
---
recipes-security/packagegroup/packagegroup-core-security.bb | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb
b/recipes-security/packagegroup/packagegroup-core-security.bb
index 20ba46f..e0a9d05 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -11,7 +11,6 @@ PACKAGES = "\
packagegroup-security-scanners \
packagegroup-security-ids \
packagegroup-security-mac \
-${@bb.utils.contains("MACHINE_FEATURES", "tpm",
"packagegroup-security-tpm", "",d)} \
"
RDEPENDS_packagegroup-core-security = "\
@@ -19,7 +18,6 @@ RDEPENDS_packagegroup-core-security = "\
packagegroup-security-scanners \
packagegroup-security-ids \
packagegroup-security-mac \
-${@bb.utils.contains("MACHINE_FEATURES", "tpm",
"packagegroup-security-tpm", "",d)} \
"
SUMMARY_packagegroup-security-utils = "Security utilities"
@@ -27,7 +25,7 @@ RDEPENDS_packagegroup-security-utils = "\
checksec \
nmap \
pinentry \
-python-scapy \
+python3-scapy \
ding-libs \
keyutils \
libseccomp \
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 3/4] busybox: fix sig changes when layer added
Signed-off-by: Armin Kuster
---
recipes-core/busybox/busybox_%.bbappend| 4 +---
recipes-core/busybox/busybox_libsecomp.inc | 3 +++
2 files changed, 4 insertions(+), 3 deletions(-)
create mode 100644 recipes-core/busybox/busybox_libsecomp.inc
diff --git a/recipes-core/busybox/busybox_%.bbappend
b/recipes-core/busybox/busybox_%.bbappend
index 8bb0706..27a2482 100644
--- a/recipes-core/busybox/busybox_%.bbappend
+++ b/recipes-core/busybox/busybox_%.bbappend
@@ -1,3 +1 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-SRC_URI += "file://head.cfg"
+require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest',
'busybox_libsecomp.inc', '', d)}
diff --git a/recipes-core/busybox/busybox_libsecomp.inc
b/recipes-core/busybox/busybox_libsecomp.inc
new file mode 100644
index 000..4af22ce
--- /dev/null
+++ b/recipes-core/busybox/busybox_libsecomp.inc
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:"
+
+SRC_URI_append = " file://head.cfg"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 4/4] initramfs-framework-ima: correct IMA_POLICY name
it had ima_policy_hashed and did not match the recipe
ima-policy-hashed
found by yocto-check-layer
Signed-off-by: Armin Kuster
---
.../recipes-core/initrdscripts/initramfs-framework-ima.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index 6057e8d..95c853a 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM =
"file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
# This policy file will get installed as /etc/ima/ima-policy.
# It is located via the normal file search path, so a .bbappend
# to this recipe can just point towards one of its own files.
-IMA_POLICY ?= "ima_policy_hashed"
+IMA_POLICY ?= "ima-policy-hashed"
SRC_URI = " file://ima"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] apparmor: drop lsb RDEPENDS
remove lsb functions from init script
Signed-off-by: Armin Kuster
---
recipes-mac/AppArmor/apparmor_2.13.3.bb | 2 +-
recipes-mac/AppArmor/files/apparmor | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb
b/recipes-mac/AppArmor/apparmor_2.13.3.bb
index 9322018..8484404 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -160,7 +160,7 @@ PACKAGES += "mod-${PN}"
FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor
${PYTHON_SITEPACKAGES_DIR}"
FILES_mod-${PN} = "${libdir}/apache2/modules/*"
-RDEPENDS_${PN} += "bash lsb"
+RDEPENDS_${PN} += "bash"
RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3-core
python3-modules','', d)}"
RDEPENDS_${PN}_remove +=
"${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
diff --git a/recipes-mac/AppArmor/files/apparmor
b/recipes-mac/AppArmor/files/apparmor
index ac3ab9a..604e48d 100644
--- a/recipes-mac/AppArmor/files/apparmor
+++ b/recipes-mac/AppArmor/files/apparmor
@@ -47,7 +47,6 @@ log_end_msg () {
}
. /lib/apparmor/functions
-. /lib/lsb/init-functions
usage() {
echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
