Generally it's best to resend the whole patchset, as sending individual follow up patches doesn't scale for maintainers, they can easily lose track of how to combine everything into a non-broken set of commits if many people start sending partial patches at the same time.
Alex On Thu, 13 Feb 2025 at 16:14, Böszörményi Zoltán <[email protected]> wrote: > > 2025. 02. 13. 16:06 keltezéssel, Richard Purdie írta: > > On Thu, 2025-02-13 at 15:43 +0100, Böszörményi Zoltán wrote: > >> 2025. 02. 13. 15:20 keltezéssel, Zoltan Boszormenyi via > >> lists.openembedded.org írta: > >>> 2025. 02. 13. 14:36 keltezéssel, Mathieu Dubois-Briand írta: > >>>> On Wed Feb 12, 2025 at 5:35 AM CET, Zoltán Böszörményi wrote: > >>>>> This ships a crypto policy file for rpm-sequoia. > >>>>> > >>>>> Signed-off-by: Zoltán Böszörményi <[email protected]> > >>>>> --- > >>>> Hi Zoltán, > >>>> > >>>> I believe we have a new issue with this version: > >>>> > >>>>> python/build-crypto-policies.py --reloadcmds policies output > >>>>> /tmp/tmpqvyryz80: line 5: Bad configuration option: > >>>>> pubkeyacceptedalgorithms > >>>>> /tmp/tmpqvyryz80: line 6: Bad configuration option: > >>>>> hostbasedacceptedalgorithms > >>>>> /tmp/tmpqvyryz80: line 8: Bad configuration option: > >>>>> requiredrsasize > >>>>> /tmp/tmpqvyryz80: terminating, 3 bad configuration options > >>>>> There is an error in OpenSSH server generated policy > >>>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/3/builds/1027/steps/11/logs/stdio > >>>> > >>>> > >>>> > >>>> Can you have a look at this error please? > >>> I tested the recipe on Fedora 41 with: > >>> * nss 3.107.0 installed with /usr/bin/nss-policy-check present, and > >>> * faking uninstalling it by renaming /usr/bin/nss-policy-check > >>> > >>> Both worked. > >>> > >>> Some of your build hosts where nss was not installed complained > >>> about executing nss-policy-check unconditionally, which is now > >>> fixed. > >>> > >>> I think this is on a build host with a very old nss version > >>> installed. > >>> Can you uninstall it? > >> I found an alternative solution but it involves patching out > >> most of the policy generators: > >> > >> ================================================ > >> $ git diff python/policygenerators/__init__.py > >> diff --git a/python/policygenerators/__init__.py > >> b/python/policygenerators/__init__.py > >> index 0e3013e..180fb2a 100644 > >> --- a/python/policygenerators/__init__.py > >> +++ b/python/policygenerators/__init__.py > >> @@ -3,34 +3,8 @@ > >> # Copyright (c) 2019 Red Hat, Inc. > >> # Copyright (c) 2019 Tomáš Mráz <[email protected]> > >> > >> -from .bind import BindGenerator > >> -from .gnutls import GnuTLSGenerator > >> -from .java import JavaGenerator > >> -from .krb5 import KRB5Generator > >> -from .libreswan import LibreswanGenerator > >> -from .libssh import LibsshGenerator > >> -from .nss import NSSGenerator > >> -from .openssh import OpenSSHClientGenerator, OpenSSHServerGenerator > >> -from .openssl import ( > >> - OpenSSLConfigGenerator, > >> - OpenSSLFIPSGenerator, > >> - OpenSSLGenerator, > >> -) > >> -from .sequoia import RPMSequoiaGenerator, SequoiaGenerator > >> +from .sequoia import RPMSequoiaGenerator > >> > >> __all__ = [ > >> - 'BindGenerator', > >> - 'GnuTLSGenerator', > >> - 'JavaGenerator', > >> - 'KRB5Generator', > >> - 'LibreswanGenerator', > >> - 'LibsshGenerator', > >> - 'NSSGenerator', > >> - 'OpenSSHClientGenerator', > >> - 'OpenSSHServerGenerator', > >> - 'OpenSSLConfigGenerator', > >> - 'OpenSSLFIPSGenerator', > >> - 'OpenSSLGenerator', > >> 'RPMSequoiaGenerator', > >> - 'SequoiaGenerator', > >> ] > >> ================================================ > >> > >> That should work with this old nss version according to > >> the log.do_compile output. > >> > >> I can't see an easy way to make these imports and list conditional, > >> so the patch would be "Upstream-Status: Inappropriate". > >> > >> Since it should only happen for the native build, the patch can be > >> > >> SRC_URI:append:class-native = "..." > >> > >> As far as I know, /usr/bin is filtered from target builds but not > >> from native builds. > > We only allow access to things from HOSTTOOLS, nothing else is meant to > > be used, even for native builds. > > As I wrote, I misdiagnosed it. There's no problem with nss-policy-check. > > Does HOSTTOOLS include /usr/bin/ssh and /usr/bin/sshd? > Because the test_config() class method only fails for openssh and > opensshserver. > They can be ignored with an envvar. >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211347): https://lists.openembedded.org/g/openembedded-core/message/211347 Mute This Topic: https://lists.openembedded.org/mt/111137778/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
