[OE-core] [PATCH] gnutls: Use the sysconfdir variable for the ca-certificates path
Signed-off-by: Philippe Normand --- meta/recipes-support/gnutls/gnutls_3.6.7.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb index 01dd23c961..b27526a64e 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb @@ -44,7 +44,7 @@ EXTRA_OECONF = " \ --enable-local-libopts \ --enable-openssl-compatibility \ --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \ ---with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \ + --with-default-trust-store-file=${sysconfdir}/ssl/certs/ca-certificates.crt \ " LDFLAGS_append_libc-musl = " -largp" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 2/3] p11-kit: Enable nativesdk and trust-paths option
Hi Ross, Thanks for the review! On Wed, 2019-06-05 at 17:09 +0100, Burton, Ross wrote: > On Thu, 30 May 2019 at 14:48, Philippe Normand > wrote: > > +PACKAGECONFIG ??= "trust-paths" > > PACKAGECONFIG[trust-paths] = "--with-trust- > > paths=/etc/ssl/certs/ca-certificates.crt,--without-trust-paths,,ca- > > certificates" > > Should that be /etc? Or $(sysconfdir)? Especially in native and > nativesdk builds. > Yeah you're right, hardcoding /etc might not be a good idea. I kind of abandoned this patch series though, since it was decided to not make gnutls depend on p11-kit for the time being. This patch was merged instead: https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=4babb468b856f495ef828ee21cefb266ed58bd28 Do you think a follow-up is needed? I'm sorry I didn't know about $(sysconfdir) before. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] GStreamer recipes migration to Meson and _git.bb recipes?
Hi folks, It would be convenient to have _git.bb GStreamer recipes, for development purposes. There were some in the past but they were not very well maintained and they had outdated SRCREVs. Would it be acceptable to include _git.bb recipes relying on ${AUTOREV} in the tree? We also plan to migrate the recipes to Meson, especially because the autotools build will be removed from GStreamer upstream, most probably before the 1.18 stable release. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior][PATCH] gnutls: Use ca-certificates as default trust store file
Since version 2.58 the glib-networking TLS database relies on GnuTLS's system trust store, so not enabling it leads to TLS errors in applications depending on glib-networking. The raised runtime warning is: process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust (app:490): ... TLS Error: TLS certificate has unknown CA. (From OE-Core rev: 1d147be584d2f016853edbe9751247d7daa0b5d0) Signed-off-by: Richard Purdie --- meta/recipes-support/gnutls/gnutls_3.6.7.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb index e05dc2b57d..01dd23c961 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb @@ -44,6 +44,7 @@ EXTRA_OECONF = " \ --enable-local-libopts \ --enable-openssl-compatibility \ --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \ +--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \ " LDFLAGS_append_libc-musl = " -largp" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2] at-spi2: Make X11 support truly optional
X11 support in at-spi2-core can be turned off at compile time, so leverage this and disable it when X11 is not present in DISTRO_FEATURES. Signed-off-by: Philippe Normand --- Patch updated for at-spi2-core 2.32. meta/recipes-support/atk/at-spi2-atk_2.32.0.bb | 3 --- meta/recipes-support/atk/at-spi2-core_2.32.1.bb | 4 +++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb b/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb index 8812d33d9a..bcf1c9c77a 100644 --- a/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb +++ b/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb @@ -11,9 +11,6 @@ DEPENDS = "dbus glib-2.0 glib-2.0-native atk at-spi2-core libxml2" GNOMEBASEBUILDCLASS = "meson" inherit gnomebase distro_features_check upstream-version-is-even -# The at-spi2-core requires x11 in DISTRO_FEATURES -REQUIRED_DISTRO_FEATURES = "x11" - PACKAGES =+ "${PN}-gnome ${PN}-gtk2" FILES_${PN}-gnome = "${libdir}/gnome-settings-daemon-3.0/gtk-modules" diff --git a/meta/recipes-support/atk/at-spi2-core_2.32.1.bb b/meta/recipes-support/atk/at-spi2-core_2.32.1.bb index 0f84259d94..11052a8ece 100644 --- a/meta/recipes-support/atk/at-spi2-core_2.32.1.bb +++ b/meta/recipes-support/atk/at-spi2-core_2.32.1.bb @@ -18,7 +18,9 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', '${X11DEPENDS}', '', inherit meson gtk-doc gettext systemd pkgconfig upstream-version-is-even gobject-introspection EXTRA_OEMESON = " -Dsystemd_user_dir=${systemd_user_unitdir} \ - -Ddbus_daemon=${bindir}/dbus-daemon" + -Ddbus_daemon=${bindir}/dbus-daemon \ + ${@bb.utils.contains('DISTRO_FEATURES', 'x11', '-Dx11=yes', '-Dx11=no', d)} \ +" GTKDOC_MESON_OPTION = "docs" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] at-spi2: Make X11 support truly optional
X11 support in at-spi2-core can be turned off at compile time, so leverage this and disable it when X11 is not present in DISTRO_FEATURES. Signed-off-by: Philippe Normand --- meta/recipes-support/atk/at-spi2-atk_2.32.0.bb | 3 --- meta/recipes-support/atk/at-spi2-core_2.32.1.bb | 4 +++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb b/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb index 8812d33d9a..bcf1c9c77a 100644 --- a/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb +++ b/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb @@ -11,9 +11,6 @@ DEPENDS = "dbus glib-2.0 glib-2.0-native atk at-spi2-core libxml2" GNOMEBASEBUILDCLASS = "meson" inherit gnomebase distro_features_check upstream-version-is-even -# The at-spi2-core requires x11 in DISTRO_FEATURES -REQUIRED_DISTRO_FEATURES = "x11" - PACKAGES =+ "${PN}-gnome ${PN}-gtk2" FILES_${PN}-gnome = "${libdir}/gnome-settings-daemon-3.0/gtk-modules" diff --git a/meta/recipes-support/atk/at-spi2-core_2.32.1.bb b/meta/recipes-support/atk/at-spi2-core_2.32.1.bb index 0f84259d94..1843ac09e2 100644 --- a/meta/recipes-support/atk/at-spi2-core_2.32.1.bb +++ b/meta/recipes-support/atk/at-spi2-core_2.32.1.bb @@ -18,7 +18,9 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', '${X11DEPENDS}', '', inherit meson gtk-doc gettext systemd pkgconfig upstream-version-is-even gobject-introspection EXTRA_OEMESON = " -Dsystemd_user_dir=${systemd_user_unitdir} \ - -Ddbus_daemon=${bindir}/dbus-daemon" + -Ddbus_daemon=${bindir}/dbus-daemon \ + ${@bb.utils.contains('DISTRO_FEATURES', 'x11', '-Denable-x11=yes', '-Denable-x11=no', d)} \ +" GTKDOC_MESON_OPTION = "docs" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2] cmake: Use compiler launcher variable when ccache is enabled
Please let me know if there's anything left to address with this patch :) Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] gnutls: Use ca-certificates as default trust store file
Since version 2.58 the glib-networking TLS database relies on GnuTLS's system trust store, so not enabling it leads to TLS errors in applications depending on glib-networking. The raised runtime warning is: process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust (app:490): ... TLS Error: TLS certificate has unknown CA. --- meta/recipes-support/gnutls/gnutls_3.6.7.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb index e05dc2b57d..01dd23c961 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb @@ -44,6 +44,7 @@ EXTRA_OECONF = " \ --enable-local-libopts \ --enable-openssl-compatibility \ --with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \ +--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \ " LDFLAGS_append_libc-musl = " -largp" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
On Thu, 2019-05-30 at 16:50 +0100, Richard Purdie wrote: > On Thu, 2019-05-30 at 15:47 +0100, Philippe Normand wrote: > > On Thu, 2019-05-30 at 17:06 +0300, Adrian Bunk wrote: > > > On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote: > > > > Hi Adrian, > > > > > > Hi Philippe, > > > > > > > On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote: > > > > ... > > > > > 2. Wouldn't the more common case be to use the ca- > > > > > certificates > > > > > package instead of PKCS #11? > > > > > > > > I don't know why glib-networking needs to go through gnutls > > > > which > > > > then > > > > needs to query p11-kit. I suppose p11-kit could directly be > > > > used, > > > > but > > > > this is not my call to make. > > > > ... > > > > > > I think your "which then needs to query p11-kit" is not correct. > > > > > > My reading of configure.ac is that ca-certificates could be used > > > instead, and this also makes a lot more sense in the default > > > case. > > > > > > > I've asked Michael Catanzaro about this, he's not subscribed to > > this > > list so he can't reply to the thread. Here's his reply: > > > > The GnuTLS default trust store can be a certificate file bundle or > > a > > certificate directory (provided by ca-certificates), or a PKCS#11 > > URI, > > but PKCS#11 is a better default. If you do not use PKCS#11, then > > expected functionality like trusting and distrusting certificates > > using > > the 'trust' command or applications like seahorse will not work. > > Most > > modern Linux distributions are now using PKCS#11 URIs; the only > > major > > holdouts are Debian and Ubuntu. So I would definitely recommend the > > PKCS#11 URI. Of course, basic functionality will work whichever way > > you > > choose; glib-networking only requires that GnuTLS has a default > > trust > > store, one way or the other, so using a bundle would be OK if you > > want to avoid the dependency on p11-kit. > > I think most of our system is already using ca-certificates at this > point so consistency here might make sense. > I think this is the most sensible approach for now indeed. > If you use a PKCS#11 URI does that mean the systems would need > network > access to obtain the trust store? > The ca-certificates will still be used with a PKCS#11 trust store, just indirectly, via p11-kit. It doesn't require network access. > Ultimately we may want this to be a global config selection but using > ca-certs and then having a wider discussion about a global option > might > make most sense. > OK, I'll prepare a new patch then for gnutls to directly rely on ca- certificates, for the time being :) Thanks Richard and Adrian! Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
On Thu, 2019-05-30 at 17:06 +0300, Adrian Bunk wrote: > On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote: > > Hi Adrian, > > Hi Philippe, > > > On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote: > > ... > > > 2. Wouldn't the more common case be to use the ca-certificates > > > package instead of PKCS #11? > > > > I don't know why glib-networking needs to go through gnutls which > > then > > needs to query p11-kit. I suppose p11-kit could directly be used, > > but > > this is not my call to make. > > ... > > I think your "which then needs to query p11-kit" is not correct. > > My reading of configure.ac is that ca-certificates could be used > instead, and this also makes a lot more sense in the default case. > I've asked Michael Catanzaro about this, he's not subscribed to this list so he can't reply to the thread. Here's his reply: The GnuTLS default trust store can be a certificate file bundle or a certificate directory (provided by ca-certificates), or a PKCS#11 URI, but PKCS#11 is a better default. If you do not use PKCS#11, then expected functionality like trusting and distrusting certificates using the 'trust' command or applications like seahorse will not work. Most modern Linux distributions are now using PKCS#11 URIs; the only major holdouts are Debian and Ubuntu. So I would definitely recommend the PKCS#11 URI. Of course, basic functionality will work whichever way you choose; glib-networking only requires that GnuTLS has a default trust store, one way or the other, so using a bundle would be OK if you want to avoid the dependency on p11-kit. --- So, do you agree about depending on p11-kit from now on? Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 3/3] gnutls: Add a config option to enable the pkcs11 trust store
Since version 2.60 the glib-networking TLS database relies on GnuTLS's system trust store, so not enabling it leads to TLS errors in applications depending on glib-networking. The raised runtime warning is: process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust (app:490): ... TLS Error: TLS certificate has unknown CA. This new option is enabled by default because it is what glib-networking now expects. Disabling this option would break certificates validation for all applications directly or indirectly (via libsoup for instance) depending on glib-networking. --- meta/recipes-support/gnutls/gnutls_3.6.7.bb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb index e05dc2b57d..48684678bb 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb @@ -26,7 +26,7 @@ SRC_URI[sha256sum] = "5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc -PACKAGECONFIG ??= "libidn" +PACKAGECONFIG ??= "libidn p11-kit pkcs11-trust-store" # You must also have CONFIG_SECCOMP enabled in the kernel for # seccomp to work. @@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers" +PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,," + EXTRA_OECONF = " \ --enable-doc \ -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 2/3] p11-kit: Enable nativesdk and trust-paths option
This is required before enabling p11-kit support by default in gnutls. Signed-off-by: Philippe Normand --- meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb b/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb index 54455da1bb..c4ed7c34f3 100644 --- a/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb +++ b/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb @@ -14,7 +14,7 @@ S = "${WORKDIR}/git" AUTOTOOLS_AUXDIR = "${S}/build/litter" -PACKAGECONFIG ??= "" +PACKAGECONFIG ??= "trust-paths" PACKAGECONFIG[trust-paths] = "--with-trust-paths=/etc/ssl/certs/ca-certificates.crt,--without-trust-paths,,ca-certificates" # This recipe does not use the standard gtk-doc m4 macros, and so the ./configure flags @@ -44,3 +44,5 @@ FILES_${PN} += " \ # PN contains p11-kit-proxy.so, a symlink to a loadable module INSANE_SKIP_${PN} = "dev-so" + +BBCLASSEXTEND = "nativesdk" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/3] libtasn1: Enable nativesdk support
This is required before enabling p11-kit support by default in gnutls. Signed-off-by: Philippe Normand --- meta/recipes-support/gnutls/libtasn1_4.13.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/gnutls/libtasn1_4.13.bb b/meta/recipes-support/gnutls/libtasn1_4.13.bb index 9ee1913091..ea2dfe03fd 100644 --- a/meta/recipes-support/gnutls/libtasn1_4.13.bb +++ b/meta/recipes-support/gnutls/libtasn1_4.13.bb @@ -20,4 +20,4 @@ SRC_URI[sha256sum] = "7e528e8c317ddd156230c4e31d082cd13e7ddeb7a54824be8263220955 inherit autotools texinfo lib_package gtk-doc -BBCLASSEXTEND = "native" +BBCLASSEXTEND = "native nativesdk" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
Hi Adrian, On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote: > On Thu, May 30, 2019 at 11:12:21AM +0100, Philippe Normand wrote: > > Since version 2.60 the glib-networking TLS database relies on > > GnuTLS's system > > trust store, so not enabling it leads to TLS errors in applications > > depending on > > glib-networking. The raised runtime warning is: > > > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS > > database: Failed to load system trust store: GnuTLS was not > > configured with a system trust > > (app:490): ... TLS Error: TLS certificate has unknown CA. > > ... > Two questions: > > 1. Is this a valid pkcs11 URI? > > AC_ARG_WITH([default-trust-store-pkcs11], > [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI], > [use the given pkcs11 uri as default trust store])]) > Yes, I believe so. I simply used the same option as in the Freedesktop Flatpak SDK: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/blob/master/elements/components/gnutls.bst > 2. Wouldn't the more common case be to use the ca-certificates > package instead of PKCS #11? > I don't know why glib-networking needs to go through gnutls which then needs to query p11-kit. I suppose p11-kit could directly be used, but this is not my call to make. For reference, this is the relevant glib-networking commit: https://gitlab.gnome.org/GNOME/glib-networking/commit/f1c8feee014007cc913b71357acb609f8d1200df Anyway, in my local config I had this: PACKAGECONFIG_append_pn-gnutls = " p11-kit pkcs11-trust-store" PACKAGECONFIG_append_pn-p11-kit = " trust-paths" Without those I would still get TLS errors at runtime. So these 3 options would need to be enabled by default, I'll send a follow-up patch series. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
On Thu, 2019-05-30 at 12:46 +0100, richard.pur...@linuxfoundation.org wrote: > On Thu, 2019-05-30 at 12:43 +0100, Philippe Normand wrote: > > On Thu, 2019-05-30 at 12:38 +0100, Richard Purdie wrote: > > > On Thu, 2019-05-30 at 11:12 +0100, Philippe Normand wrote: > > > > Since version 2.60 the glib-networking TLS database relies on > > > > GnuTLS's system > > > > trust store, so not enabling it leads to TLS errors in > > > > applications > > > > depending on > > > > glib-networking. The raised runtime warning is: > > > > > > > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load > > > > TLS > > > > database: Failed to load system trust store: GnuTLS was not > > > > configured with a system trust > > > > (app:490): ... TLS Error: TLS certificate has unknown CA. > > > > > > Doesn't this mean we should enable it by default as well? > > > > > > > Yes, I would likely support this decision. :) > > > > I didn't do it in the patch because I don't know all the > > consequences > > of enabling this by default. I would rather defer the decision to > > the > > recipe maintainer. > > Given we're seeing issues without it enabled, can you send a v2 with > it > being enabled by default please? > > We try not to do that where it adds dependencies we don't need but it > seems to make sense here to me (I can take repsonsibilty for asking > for > it!). > Alright, I'll update the patch then. Enabling this new option requires the p11-kit option to be enabled as well though. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
On Thu, 2019-05-30 at 12:38 +0100, Richard Purdie wrote: > On Thu, 2019-05-30 at 11:12 +0100, Philippe Normand wrote: > > Since version 2.60 the glib-networking TLS database relies on > > GnuTLS's system > > trust store, so not enabling it leads to TLS errors in applications > > depending on > > glib-networking. The raised runtime warning is: > > > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS > > database: Failed to load system trust store: GnuTLS was not > > configured with a system trust > > (app:490): ... TLS Error: TLS certificate has unknown CA. > > Doesn't this mean we should enable it by default as well? > Yes, I would likely support this decision. :) I didn't do it in the patch because I don't know all the consequences of enabling this by default. I would rather defer the decision to the recipe maintainer. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
Since version 2.60 the glib-networking TLS database relies on GnuTLS's system trust store, so not enabling it leads to TLS errors in applications depending on glib-networking. The raised runtime warning is: process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust (app:490): ... TLS Error: TLS certificate has unknown CA. --- meta/recipes-support/gnutls/gnutls_3.6.7.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb index e05dc2b57d..3ad6e56579 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb @@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers" +PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,," + EXTRA_OECONF = " \ --enable-doc \ -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2] cmake: Use compiler launcher variable when ccache is enabled
Setting the CMAKE_C{,XX}_COMPILER_LAUNCHER variables is the recomended way to deal with ccache in CMake. It allows build scripts to optionally opt-out of ccache, which is especially useful when the pre-processed GCC output is required. Signed-off-by: Philippe Normand --- meta/classes/cmake.bbclass | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass index d3f0d70847..a5cffedbc6 100644 --- a/meta/classes/cmake.bbclass +++ b/meta/classes/cmake.bbclass @@ -26,14 +26,16 @@ python() { if not d.getVar('OECMAKE_C_COMPILER'): cc_list = d.getVar('CC').split() if cc_list[0] == 'ccache': -d.setVar('OECMAKE_C_COMPILER', '%s %s' % (cc_list[0], cc_list[1])) +d.setVar('OECMAKE_C_COMPILER_LAUNCHER', cc_list[0]) +d.setVar('OECMAKE_C_COMPILER', cc_list[1]) else: d.setVar('OECMAKE_C_COMPILER', cc_list[0]) if not d.getVar('OECMAKE_CXX_COMPILER'): cxx_list = d.getVar('CXX').split() if cxx_list[0] == 'ccache': -d.setVar('OECMAKE_CXX_COMPILER', '%s %s' % (cxx_list[0], cxx_list[1])) +d.setVar('OECMAKE_CXX_COMPILER_LAUNCHER', cxx_list[0]) +d.setVar('OECMAKE_CXX_COMPILER', cxx_list[1]) else: d.setVar('OECMAKE_CXX_COMPILER', cxx_list[0]) } @@ -49,6 +51,9 @@ OECMAKE_CXX_LINK_FLAGS ?= "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS} ${CXXFLAGS} ${LD CXXFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}" CFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}" +OECMAKE_C_COMPILER_LAUNCHER ?= "" +OECMAKE_CXX_COMPILER_LAUNCHER ?= "" + OECMAKE_RPATH ?= "" OECMAKE_PERLNATIVE_DIR ??= "" OECMAKE_EXTRA_ROOT_PATH ?= "" @@ -86,6 +91,8 @@ set( CMAKE_SYSTEM_NAME `echo ${TARGET_OS} | sed -e 's/^./\u&/' -e 's/^\(Linux\). set( CMAKE_SYSTEM_PROCESSOR ${@map_target_arch_to_uname_arch(d.getVar('TARGET_ARCH'))} ) set( CMAKE_C_COMPILER ${OECMAKE_C_COMPILER} ) set( CMAKE_CXX_COMPILER ${OECMAKE_CXX_COMPILER} ) +set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} ) +set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} ) set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} ) set( CMAKE_AR ${OECMAKE_AR} CACHE FILEPATH "Archiver" ) set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" ) -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] cmake: Use compiler launcher variable when ccache is enabled
On 2019-05-28 20:22, Andre McCurdy wrote: > On Tue, May 28, 2019 at 12:13 PM Philippe Normand wrote: >> >> Setting the CMAKE_C{,XX}_COMPILER_LAUNCHER variables is the recomended way to >> deal with ccache in CMake. It allows build scripts to optionally opt-out of >> CMake, which is especially useful when the pre-processed GCC output is >> required. > > Opt out of CMake? Or ccache ? > The latter. Sorry about this typo, I'll send an amended patch :) Philippe >> >> Signed-off-by: Philippe Normand >> --- >> meta/classes/cmake.bbclass | 11 +-- >> 1 file changed, 9 insertions(+), 2 deletions(-) >> >> diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass >> index d3f0d70847..a5cffedbc6 100644 >> --- a/meta/classes/cmake.bbclass >> +++ b/meta/classes/cmake.bbclass >> @@ -26,14 +26,16 @@ python() { >> if not d.getVar('OECMAKE_C_COMPILER'): >> cc_list = d.getVar('CC').split() >> if cc_list[0] == 'ccache': >> -d.setVar('OECMAKE_C_COMPILER', '%s %s' % (cc_list[0], >> cc_list[1])) >> +d.setVar('OECMAKE_C_COMPILER_LAUNCHER', cc_list[0]) >> +d.setVar('OECMAKE_C_COMPILER', cc_list[1]) >> else: >> d.setVar('OECMAKE_C_COMPILER', cc_list[0]) >> >> if not d.getVar('OECMAKE_CXX_COMPILER'): >> cxx_list = d.getVar('CXX').split() >> if cxx_list[0] == 'ccache': >> -d.setVar('OECMAKE_CXX_COMPILER', '%s %s' % (cxx_list[0], >> cxx_list[1])) >> +d.setVar('OECMAKE_CXX_COMPILER_LAUNCHER', cxx_list[0]) >> +d.setVar('OECMAKE_CXX_COMPILER', cxx_list[1]) >> else: >> d.setVar('OECMAKE_CXX_COMPILER', cxx_list[0]) >> } >> @@ -49,6 +51,9 @@ OECMAKE_CXX_LINK_FLAGS ?= "${HOST_CC_ARCH} >> ${TOOLCHAIN_OPTIONS} ${CXXFLAGS} ${LD >> CXXFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}" >> CFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}" >> >> +OECMAKE_C_COMPILER_LAUNCHER ?= "" >> +OECMAKE_CXX_COMPILER_LAUNCHER ?= "" >> + >> OECMAKE_RPATH ?= "" >> OECMAKE_PERLNATIVE_DIR ??= "" >> OECMAKE_EXTRA_ROOT_PATH ?= "" >> @@ -86,6 +91,8 @@ set( CMAKE_SYSTEM_NAME `echo ${TARGET_OS} | sed -e >> 's/^./\u&/' -e 's/^\(Linux\). >> set( CMAKE_SYSTEM_PROCESSOR >> ${@map_target_arch_to_uname_arch(d.getVar('TARGET_ARCH'))} ) >> set( CMAKE_C_COMPILER ${OECMAKE_C_COMPILER} ) >> set( CMAKE_CXX_COMPILER ${OECMAKE_CXX_COMPILER} ) >> +set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} ) >> +set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} ) >> set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} ) >> set( CMAKE_AR ${OECMAKE_AR} CACHE FILEPATH "Archiver" ) >> set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" ) >> -- >> 2.20.1 >> >> >> -- >> ___ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] cmake: Use compiler launcher variable when ccache is enabled
Setting the CMAKE_C{,XX}_COMPILER_LAUNCHER variables is the recomended way to deal with ccache in CMake. It allows build scripts to optionally opt-out of CMake, which is especially useful when the pre-processed GCC output is required. Signed-off-by: Philippe Normand --- meta/classes/cmake.bbclass | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass index d3f0d70847..a5cffedbc6 100644 --- a/meta/classes/cmake.bbclass +++ b/meta/classes/cmake.bbclass @@ -26,14 +26,16 @@ python() { if not d.getVar('OECMAKE_C_COMPILER'): cc_list = d.getVar('CC').split() if cc_list[0] == 'ccache': -d.setVar('OECMAKE_C_COMPILER', '%s %s' % (cc_list[0], cc_list[1])) +d.setVar('OECMAKE_C_COMPILER_LAUNCHER', cc_list[0]) +d.setVar('OECMAKE_C_COMPILER', cc_list[1]) else: d.setVar('OECMAKE_C_COMPILER', cc_list[0]) if not d.getVar('OECMAKE_CXX_COMPILER'): cxx_list = d.getVar('CXX').split() if cxx_list[0] == 'ccache': -d.setVar('OECMAKE_CXX_COMPILER', '%s %s' % (cxx_list[0], cxx_list[1])) +d.setVar('OECMAKE_CXX_COMPILER_LAUNCHER', cxx_list[0]) +d.setVar('OECMAKE_CXX_COMPILER', cxx_list[1]) else: d.setVar('OECMAKE_CXX_COMPILER', cxx_list[0]) } @@ -49,6 +51,9 @@ OECMAKE_CXX_LINK_FLAGS ?= "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS} ${CXXFLAGS} ${LD CXXFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}" CFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}" +OECMAKE_C_COMPILER_LAUNCHER ?= "" +OECMAKE_CXX_COMPILER_LAUNCHER ?= "" + OECMAKE_RPATH ?= "" OECMAKE_PERLNATIVE_DIR ??= "" OECMAKE_EXTRA_ROOT_PATH ?= "" @@ -86,6 +91,8 @@ set( CMAKE_SYSTEM_NAME `echo ${TARGET_OS} | sed -e 's/^./\u&/' -e 's/^\(Linux\). set( CMAKE_SYSTEM_PROCESSOR ${@map_target_arch_to_uname_arch(d.getVar('TARGET_ARCH'))} ) set( CMAKE_C_COMPILER ${OECMAKE_C_COMPILER} ) set( CMAKE_CXX_COMPILER ${OECMAKE_CXX_COMPILER} ) +set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} ) +set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} ) set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} ) set( CMAKE_AR ${OECMAKE_AR} CACHE FILEPATH "Archiver" ) set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" ) -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core