[yocto] [meta-security][PATCH 2/2] sssd: add DISTRO_FEATURE sssd

Adrian Bunk bunk at stusta.de
Fri Apr 5 01:19:30 PDT 2019


On Fri, Apr 05, 2019 at 11:05:17AM +0530, akuster808 wrote:
> 
> 
> On 4/5/19 10:29 AM, Adrian Bunk wrote:
> > On Fri, Apr 05, 2019 at 03:47:46AM +0530, Armin Kuster wrote:
> >> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
> >> ---
> >>  recipes-security/sssd/sssd_1.16.4.bb | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/recipes-security/sssd/sssd_1.16.4.bb b/recipes-security/sssd/sssd_1.16.4.bb
> >> index 34bc8c8..d6a308c 100644
> >> --- a/recipes-security/sssd/sssd_1.16.4.bb
> >> +++ b/recipes-security/sssd/sssd_1.16.4.bb
> >> @@ -16,7 +16,7 @@ SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f
> >>  
> >>  inherit autotools pkgconfig gettext python-dir distro_features_check
> >>  
> >> -REQUIRED_DISTRO_FEATURES = "pam"
> >> +REQUIRED_DISTRO_FEATURES = "pam sssd"
> >> ...
> > Adding a distro feature for a leaf package is wrong.
> Is it a naming issue or something else? I would like to understand so I
> may avoid making the same mistake.

This has nothing to do with naming.
It is about getting rid of workarounds by fixing the root cause,
instead of adding more and more layers of workarounds.

A DISTRO_FEATURE is for cases where PACKAGECONFIG in many recipes should 
be toggled with one setting, or the setting has to be the same in several
recipes.

DISTRO_FEATURES is not appropriate to guard a quick hack workaround for
breakage caused by another workaround.

The problem at hand is that libldb in meta-openembedded was upgraded to 
a version not compatible with the version of samba in meta-openembedded.

As workaroud the libldb shipped in samba was used and installed by 
the samba recipe.

The proper fix would be to upgrade samba to 4.9 or 4.10,
and use the external libldb again.
This would make all problems caused by having two different versions
of libldb disappear.

If this is not possible, it is likely samba that should stop just 
shipping the (older versions of) the conflicting binaries for now.

In a semi-related note, the current samba is a pretty outdated even for
the 4.8 branch and misses several CVE fixes.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed



More information about the yocto mailing list