[PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Otavio Salvador]

We had a c_rehash shell re-implementation being used for the native
package and there is no reason to not use it as well for the
target. This allows it to be available without the need of perl being
installed.

This partially reverts OE-Core:d2b1a889ef (openssl: move c_rehash pkg
to avoid perl dep) but still allows the removal of perl
dependency.

The respective re-implementation was already in use here at OE-Core by
the OpenSSL 1.0 recipe (since 2016) and were removed from the target
recipe during the upgrade to the 1.1 release. So it now aligns the
native and target recipes.

,----
| Author: Otavio Salvador <otavio@ossystems.com.br>
| Date:   Mon May 23 17:45:25 2016 -0300
|
|     openssl: Add Shell-Script based c_rehash utility
|
|     The PLD Linux distribution has ported the c_rehash[1] utility from
|     Perl to Shell-Script, allowing it to be shipped by default.
|
|     1. https://git.pld-linux.org/?p=packages/openssl.git;a=blob;f=openssl-c_rehash.sh;h=0ea22637ee6dbce845a9e2caf62540aaaf5d0761
|
|     The OpenSSL upstream intends[2] to convert the utility for C
|     however did not yet finished the conversion.
|
|     2. https://rt.openssl.org/Ticket/Display.html?id=2324
|
|     This patch adds this script and thus removed the Perl requirement
|     for it.
|
|     Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
|     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
`----

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

Changes in v2:
- updated commit log

 .../openssl/openssl_1.1.1a.bb                    | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
index 4a626a4fcd..a6f920e15b 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
@@ -128,7 +128,13 @@ do_install () {
 
 	oe_multilib_header openssl/opensslconf.h
 
-	# Create SSL structure for packages such as ca-certificates which
+	# Install a custom version of c_rehash that can handle sysroots properly.
+	# This version is used for example when installing ca-certificates during
+	# image creation.
+	install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
+	sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
+
+        # Create SSL structure for packages such as ca-certificates which
 	# contain hard-coded paths to /etc/ssl. Debian does the same.
 	install -d ${D}${sysconfdir}/ssl
 	mv ${D}${libdir}/ssl-1.1/certs \
@@ -149,12 +155,6 @@ do_install_append_class-native () {
 	    SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
 	    SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
 	    OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
-
-	# Install a custom version of c_rehash that can handle sysroots properly.
-	# This version is used for example when installing ca-certificates during
-	# image creation.
-	install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
-	sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
 }
 
 do_install_append_class-nativesdk () {
@@ -196,7 +196,7 @@ FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
 FILES_libssl = "${libdir}/libssl${SOLIBS}"
 FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 FILES_${PN}-engines = "${libdir}/engines-1.1"
-FILES_${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash"
+FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
 FILES_${PN} =+ "${libdir}/ssl-1.1/*"
 FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
 
-- 
2.21.0

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Alexander Kanavin]

Apologies, but I still have to veto this. The concerns I expressed previously still stand.

The best course of action would be to work with the OpenSSL upstream to replace the utility with either C or shell version.

Alex

> On 18 Mar 2019, at 14.36, Otavio Salvador <otavio@ossystems.com.br> wrote:
> 
> We had a c_rehash shell re-implementation being used for the native
> package and there is no reason to not use it as well for the
> target. This allows it to be available without the need of perl being
> installed.
> 
> This partially reverts OE-Core:d2b1a889ef (openssl: move c_rehash pkg
> to avoid perl dep) but still allows the removal of perl
> dependency.
> 
> The respective re-implementation was already in use here at OE-Core by
> the OpenSSL 1.0 recipe (since 2016) and were removed from the target
> recipe during the upgrade to the 1.1 release. So it now aligns the
> native and target recipes.
> 
> ,----
> | Author: Otavio Salvador <otavio@ossystems.com.br>
> | Date:   Mon May 23 17:45:25 2016 -0300
> |
> |     openssl: Add Shell-Script based c_rehash utility
> |
> |     The PLD Linux distribution has ported the c_rehash[1] utility from
> |     Perl to Shell-Script, allowing it to be shipped by default.
> |
> |     1. https://git.pld-linux.org/?p=packages/openssl.git;a=blob;f=openssl-c_rehash.sh;h=0ea22637ee6dbce845a9e2caf62540aaaf5d0761
> |
> |     The OpenSSL upstream intends[2] to convert the utility for C
> |     however did not yet finished the conversion.
> |
> |     2. https://rt.openssl.org/Ticket/Display.html?id=2324
> |
> |     This patch adds this script and thus removed the Perl requirement
> |     for it.
> |
> |     Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
> |     Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> `----
> 
> Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
> ---
> 
> Changes in v2:
> - updated commit log
> 
> .../openssl/openssl_1.1.1a.bb                    | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
> index 4a626a4fcd..a6f920e15b 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
> @@ -128,7 +128,13 @@ do_install () {
> 
>    oe_multilib_header openssl/opensslconf.h
> 
> -    # Create SSL structure for packages such as ca-certificates which
> +    # Install a custom version of c_rehash that can handle sysroots properly.
> +    # This version is used for example when installing ca-certificates during
> +    # image creation.
> +    install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
> +    sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
> +
> +        # Create SSL structure for packages such as ca-certificates which
>    # contain hard-coded paths to /etc/ssl. Debian does the same.
>    install -d ${D}${sysconfdir}/ssl
>    mv ${D}${libdir}/ssl-1.1/certs \
> @@ -149,12 +155,6 @@ do_install_append_class-native () {
>        SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
>        SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
>        OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
> -
> -    # Install a custom version of c_rehash that can handle sysroots properly.
> -    # This version is used for example when installing ca-certificates during
> -    # image creation.
> -    install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
> -    sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
> }
> 
> do_install_append_class-nativesdk () {
> @@ -196,7 +196,7 @@ FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
> FILES_libssl = "${libdir}/libssl${SOLIBS}"
> FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
> FILES_${PN}-engines = "${libdir}/engines-1.1"
> -FILES_${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash"
> +FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
> FILES_${PN} =+ "${libdir}/ssl-1.1/*"
> FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
> 
> -- 
> 2.21.0
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Otavio Salvador]

Hello Alexander,

On Mon, Mar 18, 2019 at 11:53 AM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> Apologies, but I still have to veto this. The concerns I expressed previously still stand.
>
> The best course of action would be to work with the OpenSSL upstream to replace the utility with either C or shell version.

I understand your concerns about this however, those also stands for
the native recipe. So we have two possible routes which seem to align
with those concerns:

1) assume the c_rehash in shell script is good enough and adopt it
2) drop c_rehash from openssl recipe

either work. The use of a different version for target and native does
not seem consistent either correct.

As mentioned, this has been in use in multiple devices for years
without concerns and this has been changed under the hood when moving
to OpenSSL 1.1. Also, the ca-certificate is broken for installation on
target now (as it uses c_rehash) and this is still unnoticed.

So I know your view on this. I'd like to know the view of other team
members as well...


-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Alexander Kanavin]

It’s fine to use the shell rewrite in the native case, as it’s only used from one place under our control. This is not the case for the target where we have no idea where and how the script can be used. So you can’t argue that native has the same issues as target does, and therefore they must be the same. The reason we use shell rewrite for native is that it handles sysroots properly from what I remember.

If something is broken, please describe the steps to reproduce and I can look into it

Alex

> On 18 Mar 2019, at 17.00, Otavio Salvador <otavio.salvador@ossystems.com.br> wrote:
> 
> Hello Alexander,
> 
> On Mon, Mar 18, 2019 at 11:53 AM Alexander Kanavin
> <alex.kanavin@gmail.com> wrote:
>> 
>> Apologies, but I still have to veto this. The concerns I expressed previously still stand.
>> 
>> The best course of action would be to work with the OpenSSL upstream to replace the utility with either C or shell version.
> 
> I understand your concerns about this however, those also stands for
> the native recipe. So we have two possible routes which seem to align
> with those concerns:
> 
> 1) assume the c_rehash in shell script is good enough and adopt it
> 2) drop c_rehash from openssl recipe
> 
> either work. The use of a different version for target and native does
> not seem consistent either correct.
> 
> As mentioned, this has been in use in multiple devices for years
> without concerns and this has been changed under the hood when moving
> to OpenSSL 1.1. Also, the ca-certificate is broken for installation on
> target now (as it uses c_rehash) and this is still unnoticed.
> 
> So I know your view on this. I'd like to know the view of other team
> members as well...
> 
> 
> -- 
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Richard Purdie]

I was asked for my views on this thread.

OE is primarily targeting embedded systems and removing a perl
dependency from target is something we do care about and a significant
win. 

As such I'm tempted to merge this patch in for that reason. The fact
we're successfully using it at rootfs time is a good sign.

I was also made aware that on target ca-certificates is currently
broken by the last change in this area and this patch does in fact fix
that again. This tells us nobody uses it that heavily on target as
nobody noticed. It also means we could do with some better tests :/.

I think the commit message could use some work but IMO this patch
probably is worth it for OE.

I also note with interest that upstream are writing a C version as that
would solve much of this debate once and for all meaning we might not
have to carry this change forever. It would be good if the new upstream
version cared about sysroot style usage...

Cheers,

Richard

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Otavio Salvador]

Hello Richard,

On Mon, Mar 18, 2019 at 8:18 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
...
> I think the commit message could use some work but IMO this patch
> probably is worth it for OE.

What do you think I could improve on it?

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Richard Purdie]

On Mon, 2019-03-18 at 10:36 -0300, Otavio Salvador wrote:
> We had a c_rehash shell re-implementation being used for the native
> package and there is no reason to not use it as well for the
> target. This allows it to be available without the need of perl being
> installed.
> 
> This partially reverts OE-Core:d2b1a889ef (openssl: move c_rehash pkg
> to avoid perl dep) but still allows the removal of perl
> dependency.
> 
> The respective re-implementation was already in use here at OE-Core
> by
> the OpenSSL 1.0 recipe (since 2016) and were removed from the target
> recipe during the upgrade to the 1.1 release. So it now aligns the
> native and target recipes.
> 
> ,----
> > Author: Otavio Salvador <otavio@ossystems.com.br>
> > Date:   Mon May 23 17:45:25 2016 -0300
> > 
> >     openssl: Add Shell-Script based c_rehash utility
> > 
> >     The PLD Linux distribution has ported the c_rehash[1] utility
> > from
> >     Perl to Shell-Script, allowing it to be shipped by default.
> > 
> >     1. 
> > https://git.pld-linux.org/?p=packages/openssl.git;a=blob;f=openssl-c_rehash.sh;h=0ea22637ee6dbce845a9e2caf62540aaaf5d0761
> > 
> >     The OpenSSL upstream intends[2] to convert the utility for C
> >     however did not yet finished the conversion.
> > 
> >     2. https://rt.openssl.org/Ticket/Display.html?id=2324
> > 
> >     This patch adds this script and thus removed the Perl
> > requirement
> >     for it.
> > 
> >     Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
> >     Signed-off-by: Richard Purdie <
> > richard.purdie@linuxfoundation.org>
> `----

I went to have a look at how this upstream C utility was going and
found that they've moved to github issues and there is no such issue
open.

The closest I could get to patches was http://openssl.6102.n7.nabble.com/openssl-org-3505-rewrite-c-rehash-in-C-td53069.html

Could you open a github issue asking if they can move to a C or shell
util as some projects don't want a perl dependency like that? I'd like
to understand upstream's intentions in this area. Do they have a reason
for using perl here that we're missing?

Cheers,

Richard

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Andre McCurdy]

On Mon, Mar 18, 2019 at 4:35 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> I went to have a look at how this upstream C utility was going and
> found that they've moved to github issues and there is no such issue
> open.

It's already been implemented and is present in openssl 1.1.0:

  https://www.openssl.org/docs/man1.1.0/man1/rehash.html

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Richard Purdie]

On Mon, 2019-03-18 at 16:52 -0700, Andre McCurdy wrote:
> On Mon, Mar 18, 2019 at 4:35 PM Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
> > I went to have a look at how this upstream C utility was going and
> > found that they've moved to github issues and there is no such
> > issue
> > open.
> 
> It's already been implemented and is present in openssl 1.1.0:
> 
>   https://www.openssl.org/docs/man1.1.0/man1/rehash.html

Great, it felt like I was missing something!

Otavio: Why do we need c_rehash on target at all, can we use rehash?

Cheers,

Richard

Re: [PATCH v2] openssl: Use the c_rehash shell re-implementation for target

[Otavio Salvador]

On Mon, Mar 18, 2019 at 8:56 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
> On Mon, 2019-03-18 at 16:52 -0700, Andre McCurdy wrote:
> > On Mon, Mar 18, 2019 at 4:35 PM Richard Purdie
> > <richard.purdie@linuxfoundation.org> wrote:
> > > I went to have a look at how this upstream C utility was going and
> > > found that they've moved to github issues and there is no such
> > > issue
> > > open.
> >
> > It's already been implemented and is present in openssl 1.1.0:
> >
> >   https://www.openssl.org/docs/man1.1.0/man1/rehash.html
>
> Great, it felt like I was missing something!
>
> Otavio: Why do we need c_rehash on target at all, can we use rehash?

Likely, I am checking what would take to rework it all to use it. Will
reply soon...

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750