On 12/4/24 3:10 PM, Richard Purdie wrote:
On Wed, 2024-12-04 at 14:35 -0600, Mark Hatle via lists.openembedded.org wrote:
On 12/2/24 12:55 PM, Alexander Kanavin via lists.openembedded.org wrote:
Hello all,
I'm working on a rpm 4.20 version update, and I thought I'd give
everyone an update on the situation:
Is there are reason to go to rpm 4.20? Security/CVE fixes, or is this just a
point patch update that makes things worse?
1. deprecated internal openpgp parser has been removed, as previously announced.
2. its replacement is rpm-sequoia, written in rust, and needing
libclang as well. There is now a configure switch in rpm to disable
rpm-sequioa, which disables all rpm signing support.
3. sequia requirements mean rpm signing support has to be disabled by
default in oe-core, as we do not have clang in core, and can't force
both rust and clang into the default build dependency chain
(rpm-native is also used in do_package regardless of packaging
format).
4. selftest for rpm signing has to be disabled for the time being as
well, for the same reason.
This is what I am going to send as patches; if you think there must be
ongoing support in core for signed rpms, speak up right this moment,
and propose a realistic plan for making it happen, and pledge
developer resources for it. I also need to remind you that rpm has no
maintainer.
Has anyone gone onto the RPM mailing list and asked about the why this was done
and explain that rust in embedded systems (as a base system requirement) is a
really terrible idea. (It's not bad as a general thing to be clear.)
I had stepped away from all of the RPM work, because frankly I want little to
nothing to do with the people who had been doing the work at Red Hat. I know
the people working on this stuff has changed since then, but I've also no time
to get back involved with this.
Your original question of should we keep using RPM is a valid one that the
community needs to decide on. For my part, I DO use RPM, because it's easier
for us to handle various offline things and at least historically, many more
users understood/expected it then apt (and definitely ipk.)
Alex did talk to them a year ago when this was last discussed (earlier
in this thread) and they have fairly strong opinions on going in this
direction regardless:
https://github.com/rpm-software-management/rpm/issues/2414#issuecomment-1825991703
After reading this, I definitely misunderstood above. I thought it was both
package signature validation (pgp/gpg) as well as the signing of the package
itself. As long as the packages themselves still have the necessary hashes for
self-validation, then most use-cases are covered. For anyone who wants properly
signed packages they need to be told to "go somewhere else" as the RPM community
doesn't intend to support embedded use-cases.
--Mark
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#2080):
https://lists.openembedded.org/g/openembedded-architecture/message/2080
Mute This Topic: https://lists.openembedded.org/mt/102780086/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
