Hello The systemd recipe indicates systemd-container has a dependency to "tar" due to machinectl import-tar command using "--numeric-owner" option of tar. See https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/systemd/systemd_256.5.bb?h=master#n576
However, busybox added --numeric-owner option to tar since a long time now, see https://git.busybox.net/busybox/commit/archival/tar.c?h=1_36_stable&id=8b814b4a349e2262c0ad25793b05206a14651ebb ( https://git.busybox.net/busybox/commit/archival/tar.c?h=1_36_stable&id=8b814b4a349e2262c0ad25793b05206a14651ebb ) and https://git.busybox.net/busybox/commit/archival/tar.c?h=1_36_stable&id=d57d62686dac254e83fbc18f851c773ec16013d8 So why not removing this tar dependency that is RRECOMMENDS by the systemd recipe ? So that we can use the busybox version instead. Thanks for any feedback on the reason for this! Joel PS: the positive impact is: the latest GPLv2 tar version is v1.17, which has several CVEs actually so I would like to avoid integrating tar, and use busybox alternative instead. I don't use the import-tar command of machienctl, so no risk for me, but it seems it's possible to improve in Yocto more generally.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63839): https://lists.yoctoproject.org/g/yocto/message/63839 Mute This Topic: https://lists.yoctoproject.org/mt/108477277/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
