On 30.09.20 04:08, Daniel Sangorrin wrote: > Although the currently exported manifest probably has > enough information, the tool debsecan and our wrapper > cip-core-sec depend on the dpkg status format. > > Signed-off-by: Daniel Sangorrin > --- > recipes-core/images/cip-core-image-security.bb | 8 ++++++++ > recipes-core/images/cip-core-image.bb | 8 ++++++++ > 2 files changed, 16 insertions(+) > > diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb > index 61ddc39..928774c 100644 > --- a/recipes-core/images/cip-core-image-security.bb > +++ b/recipes-core/images/cip-core-image-security.bb > @@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \ > uuid-runtime \ > sudo \ > " > + > +# for cip-core-sec/debsecan > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" > +export_dpkg_status() { > + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ > + cat /var/lib/dpkg/status > \ > + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status This is just a copy-out, I don't see the chroot need here. > +} > diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb > index 2cecde3..0139819 100644 > --- a/recipes-core/images/cip-core-image.bb > +++ b/recipes-core/images/cip-core-image.bb > @@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations" > # for swupdate > SWU_DESCRIPTION ??= "swupdate" > include ${SWU_DESCRIPTION}.inc > + > +# for cip-core-sec/debsecan > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status" > +export_dpkg_status() { > + sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \ > + cat /var/lib/dpkg/status > \ > + ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status > +} > Please avoid code duplication. We have means like "require some.inc" in bitbake. I'm also wondering if this should go to isar upstream directly. debsecan is a generic Debian tool, nothing CIP-specific per se. Jan