[OE-core] [PATCH] gnutls: Use the sysconfdir variable for the ca-certificates path
Signed-off-by: Philippe Normand
---
meta/recipes-support/gnutls/gnutls_3.6.7.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
index 01dd23c961..b27526a64e 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
@@ -44,7 +44,7 @@ EXTRA_OECONF = " \
--enable-local-libopts \
--enable-openssl-compatibility \
--with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \
---with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \
+
--with-default-trust-store-file=${sysconfdir}/ssl/certs/ca-certificates.crt \
"
LDFLAGS_append_libc-musl = " -largp"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 2/3] p11-kit: Enable nativesdk and trust-paths option
Hi Ross, Thanks for the review! On Wed, 2019-06-05 at 17:09 +0100, Burton, Ross wrote: > On Thu, 30 May 2019 at 14:48, Philippe Normand > wrote: > > +PACKAGECONFIG ??= "trust-paths" > > PACKAGECONFIG[trust-paths] = "--with-trust- > > paths=/etc/ssl/certs/ca-certificates.crt,--without-trust-paths,,ca- > > certificates" > > Should that be /etc? Or $(sysconfdir)? Especially in native and > nativesdk builds. > Yeah you're right, hardcoding /etc might not be a good idea. I kind of abandoned this patch series though, since it was decided to not make gnutls depend on p11-kit for the time being. This patch was merged instead: https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=4babb468b856f495ef828ee21cefb266ed58bd28 Do you think a follow-up is needed? I'm sorry I didn't know about $(sysconfdir) before. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] GStreamer recipes migration to Meson and _git.bb recipes?
Hi folks,
It would be convenient to have _git.bb GStreamer recipes, for
development purposes. There were some in the past but they were not
very well maintained and they had outdated SRCREVs. Would it be
acceptable to include _git.bb recipes relying on ${AUTOREV} in the
tree?
We also plan to migrate the recipes to Meson, especially because the
autotools build will be removed from GStreamer upstream, most probably
before the 1.18 stable release.
Philippe
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior][PATCH] gnutls: Use ca-certificates as default trust store file
Since version 2.58 the glib-networking TLS database relies on GnuTLS's system
trust store, so not enabling it leads to TLS errors in applications depending on
glib-networking. The raised runtime warning is:
process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database:
Failed to load system trust store: GnuTLS was not configured with a system trust
(app:490): ... TLS Error: TLS certificate has unknown CA.
(From OE-Core rev: 1d147be584d2f016853edbe9751247d7daa0b5d0)
Signed-off-by: Richard Purdie
---
meta/recipes-support/gnutls/gnutls_3.6.7.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
index e05dc2b57d..01dd23c961 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
@@ -44,6 +44,7 @@ EXTRA_OECONF = " \
--enable-local-libopts \
--enable-openssl-compatibility \
--with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \
+--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \
"
LDFLAGS_append_libc-musl = " -largp"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2] at-spi2: Make X11 support truly optional
X11 support in at-spi2-core can be turned off at compile time, so leverage this
and disable it when X11 is not present in DISTRO_FEATURES.
Signed-off-by: Philippe Normand
---
Patch updated for at-spi2-core 2.32.
meta/recipes-support/atk/at-spi2-atk_2.32.0.bb | 3 ---
meta/recipes-support/atk/at-spi2-core_2.32.1.bb | 4 +++-
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb
b/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb
index 8812d33d9a..bcf1c9c77a 100644
--- a/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb
+++ b/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb
@@ -11,9 +11,6 @@ DEPENDS = "dbus glib-2.0 glib-2.0-native atk at-spi2-core
libxml2"
GNOMEBASEBUILDCLASS = "meson"
inherit gnomebase distro_features_check upstream-version-is-even
-# The at-spi2-core requires x11 in DISTRO_FEATURES
-REQUIRED_DISTRO_FEATURES = "x11"
-
PACKAGES =+ "${PN}-gnome ${PN}-gtk2"
FILES_${PN}-gnome = "${libdir}/gnome-settings-daemon-3.0/gtk-modules"
diff --git a/meta/recipes-support/atk/at-spi2-core_2.32.1.bb
b/meta/recipes-support/atk/at-spi2-core_2.32.1.bb
index 0f84259d94..11052a8ece 100644
--- a/meta/recipes-support/atk/at-spi2-core_2.32.1.bb
+++ b/meta/recipes-support/atk/at-spi2-core_2.32.1.bb
@@ -18,7 +18,9 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'x11',
'${X11DEPENDS}', '',
inherit meson gtk-doc gettext systemd pkgconfig upstream-version-is-even
gobject-introspection
EXTRA_OEMESON = " -Dsystemd_user_dir=${systemd_user_unitdir} \
- -Ddbus_daemon=${bindir}/dbus-daemon"
+ -Ddbus_daemon=${bindir}/dbus-daemon \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'x11', '-Dx11=yes',
'-Dx11=no', d)} \
+"
GTKDOC_MESON_OPTION = "docs"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] at-spi2: Make X11 support truly optional
X11 support in at-spi2-core can be turned off at compile time, so leverage this
and disable it when X11 is not present in DISTRO_FEATURES.
Signed-off-by: Philippe Normand
---
meta/recipes-support/atk/at-spi2-atk_2.32.0.bb | 3 ---
meta/recipes-support/atk/at-spi2-core_2.32.1.bb | 4 +++-
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb
b/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb
index 8812d33d9a..bcf1c9c77a 100644
--- a/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb
+++ b/meta/recipes-support/atk/at-spi2-atk_2.32.0.bb
@@ -11,9 +11,6 @@ DEPENDS = "dbus glib-2.0 glib-2.0-native atk at-spi2-core
libxml2"
GNOMEBASEBUILDCLASS = "meson"
inherit gnomebase distro_features_check upstream-version-is-even
-# The at-spi2-core requires x11 in DISTRO_FEATURES
-REQUIRED_DISTRO_FEATURES = "x11"
-
PACKAGES =+ "${PN}-gnome ${PN}-gtk2"
FILES_${PN}-gnome = "${libdir}/gnome-settings-daemon-3.0/gtk-modules"
diff --git a/meta/recipes-support/atk/at-spi2-core_2.32.1.bb
b/meta/recipes-support/atk/at-spi2-core_2.32.1.bb
index 0f84259d94..1843ac09e2 100644
--- a/meta/recipes-support/atk/at-spi2-core_2.32.1.bb
+++ b/meta/recipes-support/atk/at-spi2-core_2.32.1.bb
@@ -18,7 +18,9 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'x11',
'${X11DEPENDS}', '',
inherit meson gtk-doc gettext systemd pkgconfig upstream-version-is-even
gobject-introspection
EXTRA_OEMESON = " -Dsystemd_user_dir=${systemd_user_unitdir} \
- -Ddbus_daemon=${bindir}/dbus-daemon"
+ -Ddbus_daemon=${bindir}/dbus-daemon \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'x11',
'-Denable-x11=yes', '-Denable-x11=no', d)} \
+"
GTKDOC_MESON_OPTION = "docs"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2] cmake: Use compiler launcher variable when ccache is enabled
Please let me know if there's anything left to address with this patch :) Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] gnutls: Use ca-certificates as default trust store file
Since version 2.58 the glib-networking TLS database relies on GnuTLS's system
trust store, so not enabling it leads to TLS errors in applications depending on
glib-networking. The raised runtime warning is:
process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database:
Failed to load system trust store: GnuTLS was not configured with a system trust
(app:490): ... TLS Error: TLS certificate has unknown CA.
---
meta/recipes-support/gnutls/gnutls_3.6.7.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
index e05dc2b57d..01dd23c961 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
@@ -44,6 +44,7 @@ EXTRA_OECONF = " \
--enable-local-libopts \
--enable-openssl-compatibility \
--with-libpthread-prefix=${STAGING_DIR_HOST}${prefix} \
+--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt \
"
LDFLAGS_append_libc-musl = " -largp"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
On Thu, 2019-05-30 at 16:50 +0100, Richard Purdie wrote: > On Thu, 2019-05-30 at 15:47 +0100, Philippe Normand wrote: > > On Thu, 2019-05-30 at 17:06 +0300, Adrian Bunk wrote: > > > On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote: > > > > Hi Adrian, > > > > > > Hi Philippe, > > > > > > > On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote: > > > > ... > > > > > 2. Wouldn't the more common case be to use the ca- > > > > > certificates > > > > > package instead of PKCS #11? > > > > > > > > I don't know why glib-networking needs to go through gnutls > > > > which > > > > then > > > > needs to query p11-kit. I suppose p11-kit could directly be > > > > used, > > > > but > > > > this is not my call to make. > > > > ... > > > > > > I think your "which then needs to query p11-kit" is not correct. > > > > > > My reading of configure.ac is that ca-certificates could be used > > > instead, and this also makes a lot more sense in the default > > > case. > > > > > > > I've asked Michael Catanzaro about this, he's not subscribed to > > this > > list so he can't reply to the thread. Here's his reply: > > > > The GnuTLS default trust store can be a certificate file bundle or > > a > > certificate directory (provided by ca-certificates), or a PKCS#11 > > URI, > > but PKCS#11 is a better default. If you do not use PKCS#11, then > > expected functionality like trusting and distrusting certificates > > using > > the 'trust' command or applications like seahorse will not work. > > Most > > modern Linux distributions are now using PKCS#11 URIs; the only > > major > > holdouts are Debian and Ubuntu. So I would definitely recommend the > > PKCS#11 URI. Of course, basic functionality will work whichever way > > you > > choose; glib-networking only requires that GnuTLS has a default > > trust > > store, one way or the other, so using a bundle would be OK if you > > want to avoid the dependency on p11-kit. > > I think most of our system is already using ca-certificates at this > point so consistency here might make sense. > I think this is the most sensible approach for now indeed. > If you use a PKCS#11 URI does that mean the systems would need > network > access to obtain the trust store? > The ca-certificates will still be used with a PKCS#11 trust store, just indirectly, via p11-kit. It doesn't require network access. > Ultimately we may want this to be a global config selection but using > ca-certs and then having a wider discussion about a global option > might > make most sense. > OK, I'll prepare a new patch then for gnutls to directly rely on ca- certificates, for the time being :) Thanks Richard and Adrian! Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
On Thu, 2019-05-30 at 17:06 +0300, Adrian Bunk wrote: > On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote: > > Hi Adrian, > > Hi Philippe, > > > On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote: > > ... > > > 2. Wouldn't the more common case be to use the ca-certificates > > > package instead of PKCS #11? > > > > I don't know why glib-networking needs to go through gnutls which > > then > > needs to query p11-kit. I suppose p11-kit could directly be used, > > but > > this is not my call to make. > > ... > > I think your "which then needs to query p11-kit" is not correct. > > My reading of configure.ac is that ca-certificates could be used > instead, and this also makes a lot more sense in the default case. > I've asked Michael Catanzaro about this, he's not subscribed to this list so he can't reply to the thread. Here's his reply: The GnuTLS default trust store can be a certificate file bundle or a certificate directory (provided by ca-certificates), or a PKCS#11 URI, but PKCS#11 is a better default. If you do not use PKCS#11, then expected functionality like trusting and distrusting certificates using the 'trust' command or applications like seahorse will not work. Most modern Linux distributions are now using PKCS#11 URIs; the only major holdouts are Debian and Ubuntu. So I would definitely recommend the PKCS#11 URI. Of course, basic functionality will work whichever way you choose; glib-networking only requires that GnuTLS has a default trust store, one way or the other, so using a bundle would be OK if you want to avoid the dependency on p11-kit. --- So, do you agree about depending on p11-kit from now on? Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 3/3] gnutls: Add a config option to enable the pkcs11 trust store
Since version 2.60 the glib-networking TLS database relies on GnuTLS's system trust store, so not enabling it leads to TLS errors in applications depending on glib-networking. The raised runtime warning is: process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust (app:490): ... TLS Error: TLS certificate has unknown CA. This new option is enabled by default because it is what glib-networking now expects. Disabling this option would break certificates validation for all applications directly or indirectly (via libsoup for instance) depending on glib-networking. --- meta/recipes-support/gnutls/gnutls_3.6.7.bb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb index e05dc2b57d..48684678bb 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb @@ -26,7 +26,7 @@ SRC_URI[sha256sum] = "5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc -PACKAGECONFIG ??= "libidn" +PACKAGECONFIG ??= "libidn p11-kit pkcs11-trust-store" # You must also have CONFIG_SECCOMP enabled in the kernel for # seccomp to work. @@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers" +PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,," + EXTRA_OECONF = " \ --enable-doc \ -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 2/3] p11-kit: Enable nativesdk and trust-paths option
This is required before enabling p11-kit support by default in gnutls.
Signed-off-by: Philippe Normand
---
meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb
b/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb
index 54455da1bb..c4ed7c34f3 100644
--- a/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb
+++ b/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb
@@ -14,7 +14,7 @@ S = "${WORKDIR}/git"
AUTOTOOLS_AUXDIR = "${S}/build/litter"
-PACKAGECONFIG ??= ""
+PACKAGECONFIG ??= "trust-paths"
PACKAGECONFIG[trust-paths] =
"--with-trust-paths=/etc/ssl/certs/ca-certificates.crt,--without-trust-paths,,ca-certificates"
# This recipe does not use the standard gtk-doc m4 macros, and so the
./configure flags
@@ -44,3 +44,5 @@ FILES_${PN} += " \
# PN contains p11-kit-proxy.so, a symlink to a loadable module
INSANE_SKIP_${PN} = "dev-so"
+
+BBCLASSEXTEND = "nativesdk"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/3] libtasn1: Enable nativesdk support
This is required before enabling p11-kit support by default in gnutls. Signed-off-by: Philippe Normand --- meta/recipes-support/gnutls/libtasn1_4.13.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/gnutls/libtasn1_4.13.bb b/meta/recipes-support/gnutls/libtasn1_4.13.bb index 9ee1913091..ea2dfe03fd 100644 --- a/meta/recipes-support/gnutls/libtasn1_4.13.bb +++ b/meta/recipes-support/gnutls/libtasn1_4.13.bb @@ -20,4 +20,4 @@ SRC_URI[sha256sum] = "7e528e8c317ddd156230c4e31d082cd13e7ddeb7a54824be8263220955 inherit autotools texinfo lib_package gtk-doc -BBCLASSEXTEND = "native" +BBCLASSEXTEND = "native nativesdk" -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
Hi Adrian, On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote: > On Thu, May 30, 2019 at 11:12:21AM +0100, Philippe Normand wrote: > > Since version 2.60 the glib-networking TLS database relies on > > GnuTLS's system > > trust store, so not enabling it leads to TLS errors in applications > > depending on > > glib-networking. The raised runtime warning is: > > > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS > > database: Failed to load system trust store: GnuTLS was not > > configured with a system trust > > (app:490): ... TLS Error: TLS certificate has unknown CA. > > ... > Two questions: > > 1. Is this a valid pkcs11 URI? > > AC_ARG_WITH([default-trust-store-pkcs11], > [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI], > [use the given pkcs11 uri as default trust store])]) > Yes, I believe so. I simply used the same option as in the Freedesktop Flatpak SDK: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/blob/master/elements/components/gnutls.bst > 2. Wouldn't the more common case be to use the ca-certificates > package instead of PKCS #11? > I don't know why glib-networking needs to go through gnutls which then needs to query p11-kit. I suppose p11-kit could directly be used, but this is not my call to make. For reference, this is the relevant glib-networking commit: https://gitlab.gnome.org/GNOME/glib-networking/commit/f1c8feee014007cc913b71357acb609f8d1200df Anyway, in my local config I had this: PACKAGECONFIG_append_pn-gnutls = " p11-kit pkcs11-trust-store" PACKAGECONFIG_append_pn-p11-kit = " trust-paths" Without those I would still get TLS errors at runtime. So these 3 options would need to be enabled by default, I'll send a follow-up patch series. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
On Thu, 2019-05-30 at 12:46 +0100, richard.pur...@linuxfoundation.org wrote: > On Thu, 2019-05-30 at 12:43 +0100, Philippe Normand wrote: > > On Thu, 2019-05-30 at 12:38 +0100, Richard Purdie wrote: > > > On Thu, 2019-05-30 at 11:12 +0100, Philippe Normand wrote: > > > > Since version 2.60 the glib-networking TLS database relies on > > > > GnuTLS's system > > > > trust store, so not enabling it leads to TLS errors in > > > > applications > > > > depending on > > > > glib-networking. The raised runtime warning is: > > > > > > > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load > > > > TLS > > > > database: Failed to load system trust store: GnuTLS was not > > > > configured with a system trust > > > > (app:490): ... TLS Error: TLS certificate has unknown CA. > > > > > > Doesn't this mean we should enable it by default as well? > > > > > > > Yes, I would likely support this decision. :) > > > > I didn't do it in the patch because I don't know all the > > consequences > > of enabling this by default. I would rather defer the decision to > > the > > recipe maintainer. > > Given we're seeing issues without it enabled, can you send a v2 with > it > being enabled by default please? > > We try not to do that where it adds dependencies we don't need but it > seems to make sense here to me (I can take repsonsibilty for asking > for > it!). > Alright, I'll update the patch then. Enabling this new option requires the p11-kit option to be enabled as well though. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
On Thu, 2019-05-30 at 12:38 +0100, Richard Purdie wrote: > On Thu, 2019-05-30 at 11:12 +0100, Philippe Normand wrote: > > Since version 2.60 the glib-networking TLS database relies on > > GnuTLS's system > > trust store, so not enabling it leads to TLS errors in applications > > depending on > > glib-networking. The raised runtime warning is: > > > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS > > database: Failed to load system trust store: GnuTLS was not > > configured with a system trust > > (app:490): ... TLS Error: TLS certificate has unknown CA. > > Doesn't this mean we should enable it by default as well? > Yes, I would likely support this decision. :) I didn't do it in the patch because I don't know all the consequences of enabling this by default. I would rather defer the decision to the recipe maintainer. Philippe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] gnutls: Add a config option to enable the pkcs11 trust store
Since version 2.60 the glib-networking TLS database relies on GnuTLS's system trust store, so not enabling it leads to TLS errors in applications depending on glib-networking. The raised runtime warning is: process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust (app:490): ... TLS Error: TLS certificate has unknown CA. --- meta/recipes-support/gnutls/gnutls_3.6.7.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb index e05dc2b57d..3ad6e56579 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb @@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2" PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1" PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit" PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers" +PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,," + EXTRA_OECONF = " \ --enable-doc \ -- 2.20.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2] cmake: Use compiler launcher variable when ccache is enabled
Setting the CMAKE_C{,XX}_COMPILER_LAUNCHER variables is the recomended way to
deal with ccache in CMake. It allows build scripts to optionally opt-out of
ccache, which is especially useful when the pre-processed GCC output is
required.
Signed-off-by: Philippe Normand
---
meta/classes/cmake.bbclass | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass
index d3f0d70847..a5cffedbc6 100644
--- a/meta/classes/cmake.bbclass
+++ b/meta/classes/cmake.bbclass
@@ -26,14 +26,16 @@ python() {
if not d.getVar('OECMAKE_C_COMPILER'):
cc_list = d.getVar('CC').split()
if cc_list[0] == 'ccache':
-d.setVar('OECMAKE_C_COMPILER', '%s %s' % (cc_list[0], cc_list[1]))
+d.setVar('OECMAKE_C_COMPILER_LAUNCHER', cc_list[0])
+d.setVar('OECMAKE_C_COMPILER', cc_list[1])
else:
d.setVar('OECMAKE_C_COMPILER', cc_list[0])
if not d.getVar('OECMAKE_CXX_COMPILER'):
cxx_list = d.getVar('CXX').split()
if cxx_list[0] == 'ccache':
-d.setVar('OECMAKE_CXX_COMPILER', '%s %s' % (cxx_list[0],
cxx_list[1]))
+d.setVar('OECMAKE_CXX_COMPILER_LAUNCHER', cxx_list[0])
+d.setVar('OECMAKE_CXX_COMPILER', cxx_list[1])
else:
d.setVar('OECMAKE_CXX_COMPILER', cxx_list[0])
}
@@ -49,6 +51,9 @@ OECMAKE_CXX_LINK_FLAGS ?= "${HOST_CC_ARCH}
${TOOLCHAIN_OPTIONS} ${CXXFLAGS} ${LD
CXXFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}"
CFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}"
+OECMAKE_C_COMPILER_LAUNCHER ?= ""
+OECMAKE_CXX_COMPILER_LAUNCHER ?= ""
+
OECMAKE_RPATH ?= ""
OECMAKE_PERLNATIVE_DIR ??= ""
OECMAKE_EXTRA_ROOT_PATH ?= ""
@@ -86,6 +91,8 @@ set( CMAKE_SYSTEM_NAME `echo ${TARGET_OS} | sed -e
's/^./\u&/' -e 's/^\(Linux\).
set( CMAKE_SYSTEM_PROCESSOR
${@map_target_arch_to_uname_arch(d.getVar('TARGET_ARCH'))} )
set( CMAKE_C_COMPILER ${OECMAKE_C_COMPILER} )
set( CMAKE_CXX_COMPILER ${OECMAKE_CXX_COMPILER} )
+set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} )
+set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} )
set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} )
set( CMAKE_AR ${OECMAKE_AR} CACHE FILEPATH "Archiver" )
set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" )
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] cmake: Use compiler launcher variable when ccache is enabled
On 2019-05-28 20:22, Andre McCurdy wrote:
> On Tue, May 28, 2019 at 12:13 PM Philippe Normand wrote:
>>
>> Setting the CMAKE_C{,XX}_COMPILER_LAUNCHER variables is the recomended way to
>> deal with ccache in CMake. It allows build scripts to optionally opt-out of
>> CMake, which is especially useful when the pre-processed GCC output is
>> required.
>
> Opt out of CMake? Or ccache ?
>
The latter. Sorry about this typo, I'll send an amended patch :)
Philippe
>>
>> Signed-off-by: Philippe Normand
>> ---
>> meta/classes/cmake.bbclass | 11 +--
>> 1 file changed, 9 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass
>> index d3f0d70847..a5cffedbc6 100644
>> --- a/meta/classes/cmake.bbclass
>> +++ b/meta/classes/cmake.bbclass
>> @@ -26,14 +26,16 @@ python() {
>> if not d.getVar('OECMAKE_C_COMPILER'):
>> cc_list = d.getVar('CC').split()
>> if cc_list[0] == 'ccache':
>> -d.setVar('OECMAKE_C_COMPILER', '%s %s' % (cc_list[0],
>> cc_list[1]))
>> +d.setVar('OECMAKE_C_COMPILER_LAUNCHER', cc_list[0])
>> +d.setVar('OECMAKE_C_COMPILER', cc_list[1])
>> else:
>> d.setVar('OECMAKE_C_COMPILER', cc_list[0])
>>
>> if not d.getVar('OECMAKE_CXX_COMPILER'):
>> cxx_list = d.getVar('CXX').split()
>> if cxx_list[0] == 'ccache':
>> -d.setVar('OECMAKE_CXX_COMPILER', '%s %s' % (cxx_list[0],
>> cxx_list[1]))
>> +d.setVar('OECMAKE_CXX_COMPILER_LAUNCHER', cxx_list[0])
>> +d.setVar('OECMAKE_CXX_COMPILER', cxx_list[1])
>> else:
>> d.setVar('OECMAKE_CXX_COMPILER', cxx_list[0])
>> }
>> @@ -49,6 +51,9 @@ OECMAKE_CXX_LINK_FLAGS ?= "${HOST_CC_ARCH}
>> ${TOOLCHAIN_OPTIONS} ${CXXFLAGS} ${LD
>> CXXFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}"
>> CFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}"
>>
>> +OECMAKE_C_COMPILER_LAUNCHER ?= ""
>> +OECMAKE_CXX_COMPILER_LAUNCHER ?= ""
>> +
>> OECMAKE_RPATH ?= ""
>> OECMAKE_PERLNATIVE_DIR ??= ""
>> OECMAKE_EXTRA_ROOT_PATH ?= ""
>> @@ -86,6 +91,8 @@ set( CMAKE_SYSTEM_NAME `echo ${TARGET_OS} | sed -e
>> 's/^./\u&/' -e 's/^\(Linux\).
>> set( CMAKE_SYSTEM_PROCESSOR
>> ${@map_target_arch_to_uname_arch(d.getVar('TARGET_ARCH'))} )
>> set( CMAKE_C_COMPILER ${OECMAKE_C_COMPILER} )
>> set( CMAKE_CXX_COMPILER ${OECMAKE_CXX_COMPILER} )
>> +set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} )
>> +set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} )
>> set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} )
>> set( CMAKE_AR ${OECMAKE_AR} CACHE FILEPATH "Archiver" )
>> set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" )
>> --
>> 2.20.1
>>
>>
>> --
>> ___
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] cmake: Use compiler launcher variable when ccache is enabled
Setting the CMAKE_C{,XX}_COMPILER_LAUNCHER variables is the recomended way to
deal with ccache in CMake. It allows build scripts to optionally opt-out of
CMake, which is especially useful when the pre-processed GCC output is required.
Signed-off-by: Philippe Normand
---
meta/classes/cmake.bbclass | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass
index d3f0d70847..a5cffedbc6 100644
--- a/meta/classes/cmake.bbclass
+++ b/meta/classes/cmake.bbclass
@@ -26,14 +26,16 @@ python() {
if not d.getVar('OECMAKE_C_COMPILER'):
cc_list = d.getVar('CC').split()
if cc_list[0] == 'ccache':
-d.setVar('OECMAKE_C_COMPILER', '%s %s' % (cc_list[0], cc_list[1]))
+d.setVar('OECMAKE_C_COMPILER_LAUNCHER', cc_list[0])
+d.setVar('OECMAKE_C_COMPILER', cc_list[1])
else:
d.setVar('OECMAKE_C_COMPILER', cc_list[0])
if not d.getVar('OECMAKE_CXX_COMPILER'):
cxx_list = d.getVar('CXX').split()
if cxx_list[0] == 'ccache':
-d.setVar('OECMAKE_CXX_COMPILER', '%s %s' % (cxx_list[0],
cxx_list[1]))
+d.setVar('OECMAKE_CXX_COMPILER_LAUNCHER', cxx_list[0])
+d.setVar('OECMAKE_CXX_COMPILER', cxx_list[1])
else:
d.setVar('OECMAKE_CXX_COMPILER', cxx_list[0])
}
@@ -49,6 +51,9 @@ OECMAKE_CXX_LINK_FLAGS ?= "${HOST_CC_ARCH}
${TOOLCHAIN_OPTIONS} ${CXXFLAGS} ${LD
CXXFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}"
CFLAGS += "${HOST_CC_ARCH} ${TOOLCHAIN_OPTIONS}"
+OECMAKE_C_COMPILER_LAUNCHER ?= ""
+OECMAKE_CXX_COMPILER_LAUNCHER ?= ""
+
OECMAKE_RPATH ?= ""
OECMAKE_PERLNATIVE_DIR ??= ""
OECMAKE_EXTRA_ROOT_PATH ?= ""
@@ -86,6 +91,8 @@ set( CMAKE_SYSTEM_NAME `echo ${TARGET_OS} | sed -e
's/^./\u&/' -e 's/^\(Linux\).
set( CMAKE_SYSTEM_PROCESSOR
${@map_target_arch_to_uname_arch(d.getVar('TARGET_ARCH'))} )
set( CMAKE_C_COMPILER ${OECMAKE_C_COMPILER} )
set( CMAKE_CXX_COMPILER ${OECMAKE_CXX_COMPILER} )
+set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} )
+set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} )
set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} )
set( CMAKE_AR ${OECMAKE_AR} CACHE FILEPATH "Archiver" )
set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" )
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
