2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via lists.openembedded.org
írta:
2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta:
On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote:
This ships a crypto policy file for rpm-sequoia.
Signed-off-by: Zoltán Böszörményi <[email protected]>
---
Hi Zoltán,
I believe we have a new issue with this version:
| python/build-crypto-policies.py --reloadcmds policies output
| /tmp/tmpqvyryz80: line 5: Bad configuration option: pubkeyacceptedalgorithms
| /tmp/tmpqvyryz80: line 6: Bad configuration option:
hostbasedacceptedalgorithms
| /tmp/tmpqvyryz80: line 8: Bad configuration option: requiredrsasize
| /tmp/tmpqvyryz80: terminating, 3 bad configuration options
| There is an error in OpenSSH server generated policy
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio
Can you have a look at this error please?
I tested the recipe on Fedora 41 with:
* nss 3.107.0 installed with /usr/bin/nss-policy-check present, and
* faking uninstalling it by renaming /usr/bin/nss-policy-check
Both worked.
Some of your build hosts where nss was not installed complained
about executing nss-policy-check unconditionally, which is now fixed.
I think this is on a build host with a very old nss version installed.
Can you uninstall it?
I found an alternative solution but it involves patching out
most of the policy generators:
================================================
$ git diff python/policygenerators/__init__.py
diff --git a/python/policygenerators/__init__.py
b/python/policygenerators/__init__.py
index 0e3013e..180fb2a 100644
--- a/python/policygenerators/__init__.py
+++ b/python/policygenerators/__init__.py
@@ -3,34 +3,8 @@
# Copyright (c) 2019 Red Hat, Inc.
# Copyright (c) 2019 Tomáš Mráz <[email protected]>
-from .bind import BindGenerator
-from .gnutls import GnuTLSGenerator
-from .java import JavaGenerator
-from .krb5 import KRB5Generator
-from .libreswan import LibreswanGenerator
-from .libssh import LibsshGenerator
-from .nss import NSSGenerator
-from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator
-from .openssl import (
- OpenSSLConfigGenerator,
- OpenSSLFIPSGenerator,
- OpenSSLGenerator,
-)
-from .sequoia import RPMSequoiaGenerator, SequoiaGenerator
+from .sequoia import RPMSequoiaGenerator
__all__ = [
- 'BindGenerator',
- 'GnuTLSGenerator',
- 'JavaGenerator',
- 'KRB5Generator',
- 'LibreswanGenerator',
- 'LibsshGenerator',
- 'NSSGenerator',
- 'OpenSSHClientGenerator',
- 'OpenSSHServerGenerator',
- 'OpenSSLConfigGenerator',
- 'OpenSSLFIPSGenerator',
- 'OpenSSLGenerator',
'RPMSequoiaGenerator',
- 'SequoiaGenerator',
]
================================================
That should work with this old nss version according to
the log.do_compile output.
I can't see an easy way to make these imports and list conditional,
so the patch would be "Upstream-Status: Inappropriate".
Since it should only happen for the native build, the patch can be
SRC_URI:append:class-native = "..."
As far as I know, /usr/bin is filtered from target builds but not from
native builds.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#211343):
https://lists.openembedded.org/g/openembedded-core/message/211343
Mute This Topic: https://lists.openembedded.org/mt/111137778/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
