On Wed, 2024-12-04 at 14:35 -0600, Mark Hatle via lists.openembedded.org wrote: > > > On 12/2/24 12:55 PM, Alexander Kanavin via lists.openembedded.org wrote: > > Hello all, > > > > I'm working on a rpm 4.20 version update, and I thought I'd give > > everyone an update on the situation: > > Is there are reason to go to rpm 4.20? Security/CVE fixes, or is this just a > point patch update that makes things worse? > > > 1. deprecated internal openpgp parser has been removed, as previously > > announced. > > 2. its replacement is rpm-sequoia, written in rust, and needing > > libclang as well. There is now a configure switch in rpm to disable > > rpm-sequioa, which disables all rpm signing support. > > 3. sequia requirements mean rpm signing support has to be disabled by > > default in oe-core, as we do not have clang in core, and can't force > > both rust and clang into the default build dependency chain > > (rpm-native is also used in do_package regardless of packaging > > format). > > 4. selftest for rpm signing has to be disabled for the time being as > > well, for the same reason. > > > > This is what I am going to send as patches; if you think there must be > > ongoing support in core for signed rpms, speak up right this moment, > > and propose a realistic plan for making it happen, and pledge > > developer resources for it. I also need to remind you that rpm has no > > maintainer. > > Has anyone gone onto the RPM mailing list and asked about the why this was > done > and explain that rust in embedded systems (as a base system requirement) is a > really terrible idea. (It's not bad as a general thing to be clear.) > > I had stepped away from all of the RPM work, because frankly I want little to > nothing to do with the people who had been doing the work at Red Hat. I know > the people working on this stuff has changed since then, but I've also no > time > to get back involved with this. > > Your original question of should we keep using RPM is a valid one that the > community needs to decide on. For my part, I DO use RPM, because it's easier > for us to handle various offline things and at least historically, many more > users understood/expected it then apt (and definitely ipk.)
Alex did talk to them a year ago when this was last discussed (earlier in this thread) and they have fairly strong opinions on going in this direction regardless: https://github.com/rpm-software-management/rpm/issues/2414#issuecomment-1825991703 Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2079): https://lists.openembedded.org/g/openembedded-architecture/message/2079 Mute This Topic: https://lists.openembedded.org/mt/102780086/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
