From 706085aaf72ff6d60e65c812e9d06388e3347d65 Mon Sep 17 00:00:00 2001 From: Yoann Congal Date: Tue, 15 Apr 2025 23:34:27 +0200 Subject: rpm-sequoia-crypto-policy: Fix build failure on Debian 12+Strongswan rpm-sequoia-crypto-policy tries to validate the configuration files using host tools. For the Strongswan policy, it uses "ipsec readwriteconf" which is not available on Debian 12 with Strongswan installed. To fix this, add and use an option to skip the problematic validation. (From OE-Core rev: d10ca0fe194b62b2f383be880a008cde2bd0fd4f) Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie --- ...-Allow-skipping-test_config-for-old-ipsec.patch | 29 ++++++++++++++++++++++ .../rpm-sequoia/rpm-sequoia-crypto-policy_git.bb | 8 ++++-- 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch new file mode 100644 index 0000000000..db3ea4b843 --- /dev/null +++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch @@ -0,0 +1,29 @@ +From f7a8e2c049c2c3e2bfcb801d7b65214c0a5bad77 Mon Sep 17 00:00:00 2001 +From: Yoann Congal +Date: Tue, 15 Apr 2025 17:27:20 +0200 +Subject: [PATCH] libreswan: Allow skipping test_config for old ipsec + +In some case, /usr/sbin/ipsec does not handle the readwriteconf command. +e.g. on Debian 12 with strongswan installed. +As with the other OLD_* variables, add an OLD_LIBRESWAN environment +variable to skip configuration testing on those systems. + +Signed-off-by: Yoann Congal +Upstream-Status: Backport [https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/237] +--- + python/policygenerators/libreswan.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/python/policygenerators/libreswan.py b/python/policygenerators/libreswan.py +index a2b02f5..d81ec0c 100644 +--- a/python/policygenerators/libreswan.py ++++ b/python/policygenerators/libreswan.py +@@ -227,6 +227,8 @@ class LibreswanGenerator(ConfigGenerator): + + @classmethod + def test_config(cls, config): ++ if os.getenv('OLD_LIBRESWAN') == '1': ++ return True + if not os.access('/usr/sbin/ipsec', os.X_OK): + return True + diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb index 522e9a393d..4ccfc95c33 100644 --- a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb +++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb @@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343" # Python 3.11+ is needed to build fedora-crypto-policies inherit allarch python3native -SRC_URI = "git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master" +SRC_URI = " \ + git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master \ + file://0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch \ +" SRCREV = "032b418a6db842f0eab330eb5909e4604e888728" UPSTREAM_CHECK_COMMITS = "1" @@ -20,10 +23,11 @@ do_compile () { # It speeds up the build and we only need DEFAULT/rpm-sequoia. rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete - # Don't validate openssh and gnutls policy variants. + # Don't validate openssh, gnutls and libreswan policy variants. # Validation may fail and these variants are not needed. export OLD_OPENSSH=1 export OLD_GNUTLS=1 + export OLD_LIBRESWAN=1 make ASCIIDOC=echo XSLTPROC=echo } -- cgit v1.2.3-54-g00ecf