[PATCH] cip-core-image-security: remove unnecessary dependency package names

[PATCH] cip-core-image-security: remove unnecessary dependency package names

[venkata.pyla]

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

It is not necessary to mention dependency package names when parent
package is present, the dependency packages will automatically
install by isar framework.

so removing the dependency packages which are not necessary.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 recipes-core/images/cip-core-image-security.bb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..6c41b00 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"
 
 # Debian packages that provide security features
 IMAGE_PREINSTALL += " \
-	openssl libssl1.1 \
+	openssl \
 	fail2ban \
 	openssh-server openssh-sftp-server openssh-client \
 	syslog-ng-core syslog-ng-mod-journal \
-	aide aide-common \
-	libnftables0 nftables \
+	aide \
+	nftables \
 	libpam-pkcs11 \
 	chrony \
 	tpm2-tools \
@@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
 	libtss2-esys0 libtss2-udev \
 	libpam-cracklib \
 	acl \
-	libauparse0 audispd-plugins auditd \
+	audispd-plugins auditd \
 	uuid-runtime \
 	sudo \
 "
-- 
2.20.1

Re: [PATCH] cip-core-image-security: remove unnecessary dependency package names

[Jan Kiszka]

On 15.11.21 17:15, venkata.pyla@toshiba-tsip.com wrote:
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> It is not necessary to mention dependency package names when parent
> package is present, the dependency packages will automatically
> install by isar framework.
> 
> so removing the dependency packages which are not necessary.
> 
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  recipes-core/images/cip-core-image-security.bb | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> index 61ddc39..6c41b00 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"
>  
>  # Debian packages that provide security features
>  IMAGE_PREINSTALL += " \
> -	openssl libssl1.1 \
> +	openssl \
>  	fail2ban \
>  	openssh-server openssh-sftp-server openssh-client \
>  	syslog-ng-core syslog-ng-mod-journal \
> -	aide aide-common \
> -	libnftables0 nftables \
> +	aide \
> +	nftables \
>  	libpam-pkcs11 \
>  	chrony \
>  	tpm2-tools \
> @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
>  	libtss2-esys0 libtss2-udev \
>  	libpam-cracklib \
>  	acl \
> -	libauparse0 audispd-plugins auditd \
> +	audispd-plugins auditd \
>  	uuid-runtime \
>  	sudo \
>  "
> 

Was the list possibly intended to list all packages explicitly that are
security related? If not or that was incomplete anyway, this is fine.

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

RE: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary dependency package names

[Venkata.Pyla]

>-----Original Message-----
>From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
>Jan Kiszka
>Sent: 16 November 2021 00:16
>To: pyla venkata(ＴＳＩＰ) <Venkata.Pyla@toshiba-tsip.com>; cip-
>dev@lists.cip-project.org
>Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary
>dependency package names
>
>On 15.11.21 17:15, venkata.pyla@toshiba-tsip.com wrote:
>> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
>>
>> It is not necessary to mention dependency package names when parent
>> package is present, the dependency packages will automatically install
>> by isar framework.
>>
>> so removing the dependency packages which are not necessary.
>>
>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
>> ---
>>  recipes-core/images/cip-core-image-security.bb | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/recipes-core/images/cip-core-image-security.bb
>> b/recipes-core/images/cip-core-image-security.bb
>> index 61ddc39..6c41b00 100644
>> --- a/recipes-core/images/cip-core-image-security.bb
>> +++ b/recipes-core/images/cip-core-image-security.bb
>> @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"
>>
>>  # Debian packages that provide security features  IMAGE_PREINSTALL +=
>> " \
>> -	openssl libssl1.1 \
>> +	openssl \
>>  	fail2ban \
>>  	openssh-server openssh-sftp-server openssh-client \
>>  	syslog-ng-core syslog-ng-mod-journal \
>> -	aide aide-common \
>> -	libnftables0 nftables \
>> +	aide \
>> +	nftables \
>>  	libpam-pkcs11 \
>>  	chrony \
>>  	tpm2-tools \
>> @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
>>  	libtss2-esys0 libtss2-udev \
>>  	libpam-cracklib \
>>  	acl \
>> -	libauparse0 audispd-plugins auditd \
>> +	audispd-plugins auditd \
>>  	uuid-runtime \
>>  	sudo \
>>  "
>>
>
>Was the list possibly intended to list all packages explicitly that are security
>related? If not or that was incomplete anyway, this is fine.

The original intention of the package list is to mention it explicitly all the packages required to achieve the security functionality,  even though some of the packages are dependency packages of the main package.

I Just want to remove the dependency packages because, their names are changed when different distribution version (buster, bullseye, etc) is used like below
[buster]
  Package: nftables
       Dep: libnftables0
[bullseye] 
  Package: nftables
       Dep: libnftables1
So, I have removed the dependency packages here and allowed package-manager to install the correct dependency packages.

But, still there is problem when the main package itself has different name in the other distribution version, in this case should we have different recipe for each distribution version? Please suggest if there is any to resolve such scenarios.
[buster]
  Package: libtss2-esys0
[bullseye]
  Package: libtss2-esys-3.0.2-0

Thanks
Venkata.

>
>Jan
>
>--
>Siemens AG, T RDA IOT
>Corporate Competence Center Embedded Linux

Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary dependency package names

[Jan Kiszka]

On 16.11.21 06:11, Venkata.Pyla@toshiba-tsip.com wrote:
> 
> 
>> -----Original Message-----
>> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of
>> Jan Kiszka
>> Sent: 16 November 2021 00:16
>> To: pyla venkata(ＴＳＩＰ) <Venkata.Pyla@toshiba-tsip.com>; cip-
>> dev@lists.cip-project.org
>> Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary
>> dependency package names
>>
>> On 15.11.21 17:15, venkata.pyla@toshiba-tsip.com wrote:
>>> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
>>>
>>> It is not necessary to mention dependency package names when parent
>>> package is present, the dependency packages will automatically install
>>> by isar framework.
>>>
>>> so removing the dependency packages which are not necessary.
>>>
>>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
>>> ---
>>>  recipes-core/images/cip-core-image-security.bb | 8 ++++----
>>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/recipes-core/images/cip-core-image-security.bb
>>> b/recipes-core/images/cip-core-image-security.bb
>>> index 61ddc39..6c41b00 100644
>>> --- a/recipes-core/images/cip-core-image-security.bb
>>> +++ b/recipes-core/images/cip-core-image-security.bb
>>> @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"
>>>
>>>  # Debian packages that provide security features  IMAGE_PREINSTALL +=
>>> " \
>>> -	openssl libssl1.1 \
>>> +	openssl \
>>>  	fail2ban \
>>>  	openssh-server openssh-sftp-server openssh-client \
>>>  	syslog-ng-core syslog-ng-mod-journal \
>>> -	aide aide-common \
>>> -	libnftables0 nftables \
>>> +	aide \
>>> +	nftables \
>>>  	libpam-pkcs11 \
>>>  	chrony \
>>>  	tpm2-tools \
>>> @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
>>>  	libtss2-esys0 libtss2-udev \
>>>  	libpam-cracklib \
>>>  	acl \
>>> -	libauparse0 audispd-plugins auditd \
>>> +	audispd-plugins auditd \
>>>  	uuid-runtime \
>>>  	sudo \
>>>  "
>>>
>>
>> Was the list possibly intended to list all packages explicitly that are security
>> related? If not or that was incomplete anyway, this is fine.
> 
> The original intention of the package list is to mention it explicitly all the packages required to achieve the security functionality,  even though some of the packages are dependency packages of the main package.
> 
> I Just want to remove the dependency packages because, their names are changed when different distribution version (buster, bullseye, etc) is used like below
> [buster]
>   Package: nftables
>        Dep: libnftables0
> [bullseye] 
>   Package: nftables
>        Dep: libnftables1
> So, I have removed the dependency packages here and allowed package-manager to install the correct dependency packages.

OK, would be good to document that in the commit message.

> 
> But, still there is problem when the main package itself has different name in the other distribution version, in this case should we have different recipe for each distribution version? Please suggest if there is any to resolve such scenarios.
> [buster]
>   Package: libtss2-esys0
> [bullseye]
>   Package: libtss2-esys-3.0.2-0

OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"

IMAGE_PREINSTALL_append_buster = "libtss2-esys0"
IMAGE_PREINSTALL_append_bullseye = "libtss2-esys-3.0.2-0"

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

RE: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary dependency package names

[Venkata.Pyla]

>-----Original Message-----
>From: Jan Kiszka <jan.kiszka@siemens.com>
>Sent: 16 November 2021 12:56
>To: pyla venkata(ＴＳＩＰ) <Venkata.Pyla@toshiba-tsip.com>; cip-
>dev@lists.cip-project.org
>Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary
>dependency package names
>
>On 16.11.21 06:11, Venkata.Pyla@toshiba-tsip.com wrote:
>>
>>
>>> -----Original Message-----
>>> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org>
>>> On Behalf Of Jan Kiszka
>>> Sent: 16 November 2021 00:16
>>> To: pyla venkata(ＴＳＩＰ) <Venkata.Pyla@toshiba-tsip.com>; cip-
>>> dev@lists.cip-project.org
>>> Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove
>>> unnecessary dependency package names
>>>
>>> On 15.11.21 17:15, venkata.pyla@toshiba-tsip.com wrote:
>>>> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
>>>>
>>>> It is not necessary to mention dependency package names when parent
>>>> package is present, the dependency packages will automatically
>>>> install by isar framework.
>>>>
>>>> so removing the dependency packages which are not necessary.
>>>>
>>>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
>>>> ---
>>>>  recipes-core/images/cip-core-image-security.bb | 8 ++++----
>>>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/recipes-core/images/cip-core-image-security.bb
>>>> b/recipes-core/images/cip-core-image-security.bb
>>>> index 61ddc39..6c41b00 100644
>>>> --- a/recipes-core/images/cip-core-image-security.bb
>>>> +++ b/recipes-core/images/cip-core-image-security.bb
>>>> @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"
>>>>
>>>>  # Debian packages that provide security features  IMAGE_PREINSTALL
>>>> += " \
>>>> -	openssl libssl1.1 \
>>>> +	openssl \
>>>>  	fail2ban \
>>>>  	openssh-server openssh-sftp-server openssh-client \
>>>>  	syslog-ng-core syslog-ng-mod-journal \
>>>> -	aide aide-common \
>>>> -	libnftables0 nftables \
>>>> +	aide \
>>>> +	nftables \
>>>>  	libpam-pkcs11 \
>>>>  	chrony \
>>>>  	tpm2-tools \
>>>> @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
>>>>  	libtss2-esys0 libtss2-udev \
>>>>  	libpam-cracklib \
>>>>  	acl \
>>>> -	libauparse0 audispd-plugins auditd \
>>>> +	audispd-plugins auditd \
>>>>  	uuid-runtime \
>>>>  	sudo \
>>>>  "
>>>>
>>>
>>> Was the list possibly intended to list all packages explicitly that
>>> are security related? If not or that was incomplete anyway, this is fine.
>>
>> The original intention of the package list is to mention it explicitly all the
>packages required to achieve the security functionality,  even though some of
>the packages are dependency packages of the main package.
>>
>> I Just want to remove the dependency packages because, their names are
>> changed when different distribution version (buster, bullseye, etc) is used like
>below [buster]
>>   Package: nftables
>>        Dep: libnftables0
>> [bullseye]
>>   Package: nftables
>>        Dep: libnftables1
>> So, I have removed the dependency packages here and allowed package-
>manager to install the correct dependency packages.
>
>OK, would be good to document that in the commit message.

I will resend the patch with adding this information in the commit.

>
>>
>> But, still there is problem when the main package itself has different name in
>the other distribution version, in this case should we have different recipe for
>each distribution version? Please suggest if there is any to resolve such
>scenarios.
>> [buster]
>>   Package: libtss2-esys0
>> [bullseye]
>>   Package: libtss2-esys-3.0.2-0
>
>OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"
>
>IMAGE_PREINSTALL_append_buster = "libtss2-esys0"
>IMAGE_PREINSTALL_append_bullseye = "libtss2-esys-3.0.2-0"

Thank you for the suggestion, I will use this approach.

>
>Jan
>
>--
>Siemens AG, T RDA IOT
>Corporate Competence Center Embedded Linux