On 12/2/24 12:55 PM, Alexander Kanavin via lists.openembedded.org wrote:
Hello all,
I'm working on a rpm 4.20 version update, and I thought I'd give
everyone an update on the situation:
Is there are reason to go to rpm 4.20? Security/CVE fixes, or is this just a
point patch update that makes things worse?
1. deprecated internal openpgp parser has been removed, as previously announced.
2. its replacement is rpm-sequoia, written in rust, and needing
libclang as well. There is now a configure switch in rpm to disable
rpm-sequioa, which disables all rpm signing support.
3. sequia requirements mean rpm signing support has to be disabled by
default in oe-core, as we do not have clang in core, and can't force
both rust and clang into the default build dependency chain
(rpm-native is also used in do_package regardless of packaging
format).
4. selftest for rpm signing has to be disabled for the time being as
well, for the same reason.
This is what I am going to send as patches; if you think there must be
ongoing support in core for signed rpms, speak up right this moment,
and propose a realistic plan for making it happen, and pledge
developer resources for it. I also need to remind you that rpm has no
maintainer.
Has anyone gone onto the RPM mailing list and asked about the why this was done
and explain that rust in embedded systems (as a base system requirement) is a
really terrible idea. (It's not bad as a general thing to be clear.)
I had stepped away from all of the RPM work, because frankly I want little to
nothing to do with the people who had been doing the work at Red Hat. I know
the people working on this stuff has changed since then, but I've also no time
to get back involved with this.
Your original question of should we keep using RPM is a valid one that the
community needs to decide on. For my part, I DO use RPM, because it's easier
for us to handle various offline things and at least historically, many more
users understood/expected it then apt (and definitely ipk.)
--Mark
Thanks,
Alex
On Sat, 25 Nov 2023 at 12:54, Alexander Kanavin via
lists.openembedded.org <[email protected]>
wrote:
On Sat, 25 Nov 2023 at 12:50, Sudip Mukherjee
<[email protected]> wrote:
- consider that we may need a divorce from the rpm ecosystem. We don't
have a particularly well-established relationship with them, and have
no influence on their roadmap and goals. So maybe we should mark rpm
package format as deprecated, do what we can to ship it in the next
LTS release, and then just remove all of it, and default to ipk. Any
interested party can set up meta-rpm then and maintain it.
+1 for this. For the next release you can use the "deprecated internal parser".
I've started a conversation with upstream here as others have asked for that:
https://github.com/rpm-software-management/rpm/issues/2414#issuecomment-1825991703
If any interested party doesn't want the above scenario to become
reality, you really do need to go there, and do your best to convince
upstream to find alternatives (such as disabling the crypto bits in
rpm with a build time switch).
Alex
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#2078):
https://lists.openembedded.org/g/openembedded-architecture/message/2078
Mute This Topic: https://lists.openembedded.org/mt/102780086/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
