| Message ID | 20211115161554.24270-1-venkata.pyla@toshiba-tsip.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | cip-core-image-security: remove unnecessary dependency package names | expand |
On 15.11.21 17:15, venkata.pyla@toshiba-tsip.com wrote: > From: venkata pyla <venkata.pyla@toshiba-tsip.com> > > It is not necessary to mention dependency package names when parent > package is present, the dependency packages will automatically > install by isar framework. > > so removing the dependency packages which are not necessary. > > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > --- > recipes-core/images/cip-core-image-security.bb | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb > index 61ddc39..6c41b00 100644 > --- a/recipes-core/images/cip-core-image-security.bb > +++ b/recipes-core/images/cip-core-image-security.bb > @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations" > > # Debian packages that provide security features > IMAGE_PREINSTALL += " \ > - openssl libssl1.1 \ > + openssl \ > fail2ban \ > openssh-server openssh-sftp-server openssh-client \ > syslog-ng-core syslog-ng-mod-journal \ > - aide aide-common \ > - libnftables0 nftables \ > + aide \ > + nftables \ > libpam-pkcs11 \ > chrony \ > tpm2-tools \ > @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \ > libtss2-esys0 libtss2-udev \ > libpam-cracklib \ > acl \ > - libauparse0 audispd-plugins auditd \ > + audispd-plugins auditd \ > uuid-runtime \ > sudo \ > " > Was the list possibly intended to list all packages explicitly that are security related? If not or that was incomplete anyway, this is fine. Jan
>-----Original Message----- >From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of >Jan Kiszka >Sent: 16 November 2021 00:16 >To: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip- >dev@lists.cip-project.org >Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary >dependency package names > >On 15.11.21 17:15, venkata.pyla@toshiba-tsip.com wrote: >> From: venkata pyla <venkata.pyla@toshiba-tsip.com> >> >> It is not necessary to mention dependency package names when parent >> package is present, the dependency packages will automatically install >> by isar framework. >> >> so removing the dependency packages which are not necessary. >> >> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> >> --- >> recipes-core/images/cip-core-image-security.bb | 8 ++++---- >> 1 file changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/recipes-core/images/cip-core-image-security.bb >> b/recipes-core/images/cip-core-image-security.bb >> index 61ddc39..6c41b00 100644 >> --- a/recipes-core/images/cip-core-image-security.bb >> +++ b/recipes-core/images/cip-core-image-security.bb >> @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations" >> >> # Debian packages that provide security features IMAGE_PREINSTALL += >> " \ >> - openssl libssl1.1 \ >> + openssl \ >> fail2ban \ >> openssh-server openssh-sftp-server openssh-client \ >> syslog-ng-core syslog-ng-mod-journal \ >> - aide aide-common \ >> - libnftables0 nftables \ >> + aide \ >> + nftables \ >> libpam-pkcs11 \ >> chrony \ >> tpm2-tools \ >> @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \ >> libtss2-esys0 libtss2-udev \ >> libpam-cracklib \ >> acl \ >> - libauparse0 audispd-plugins auditd \ >> + audispd-plugins auditd \ >> uuid-runtime \ >> sudo \ >> " >> > >Was the list possibly intended to list all packages explicitly that are security >related? If not or that was incomplete anyway, this is fine. The original intention of the package list is to mention it explicitly all the packages required to achieve the security functionality, even though some of the packages are dependency packages of the main package. I Just want to remove the dependency packages because, their names are changed when different distribution version (buster, bullseye, etc) is used like below [buster] Package: nftables Dep: libnftables0 [bullseye] Package: nftables Dep: libnftables1 So, I have removed the dependency packages here and allowed package-manager to install the correct dependency packages. But, still there is problem when the main package itself has different name in the other distribution version, in this case should we have different recipe for each distribution version? Please suggest if there is any to resolve such scenarios. [buster] Package: libtss2-esys0 [bullseye] Package: libtss2-esys-3.0.2-0 Thanks Venkata. > >Jan > >-- >Siemens AG, T RDA IOT >Corporate Competence Center Embedded Linux
On 16.11.21 06:11, Venkata.Pyla@toshiba-tsip.com wrote: > > >> -----Original Message----- >> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of >> Jan Kiszka >> Sent: 16 November 2021 00:16 >> To: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip- >> dev@lists.cip-project.org >> Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary >> dependency package names >> >> On 15.11.21 17:15, venkata.pyla@toshiba-tsip.com wrote: >>> From: venkata pyla <venkata.pyla@toshiba-tsip.com> >>> >>> It is not necessary to mention dependency package names when parent >>> package is present, the dependency packages will automatically install >>> by isar framework. >>> >>> so removing the dependency packages which are not necessary. >>> >>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> >>> --- >>> recipes-core/images/cip-core-image-security.bb | 8 ++++---- >>> 1 file changed, 4 insertions(+), 4 deletions(-) >>> >>> diff --git a/recipes-core/images/cip-core-image-security.bb >>> b/recipes-core/images/cip-core-image-security.bb >>> index 61ddc39..6c41b00 100644 >>> --- a/recipes-core/images/cip-core-image-security.bb >>> +++ b/recipes-core/images/cip-core-image-security.bb >>> @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations" >>> >>> # Debian packages that provide security features IMAGE_PREINSTALL += >>> " \ >>> - openssl libssl1.1 \ >>> + openssl \ >>> fail2ban \ >>> openssh-server openssh-sftp-server openssh-client \ >>> syslog-ng-core syslog-ng-mod-journal \ >>> - aide aide-common \ >>> - libnftables0 nftables \ >>> + aide \ >>> + nftables \ >>> libpam-pkcs11 \ >>> chrony \ >>> tpm2-tools \ >>> @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \ >>> libtss2-esys0 libtss2-udev \ >>> libpam-cracklib \ >>> acl \ >>> - libauparse0 audispd-plugins auditd \ >>> + audispd-plugins auditd \ >>> uuid-runtime \ >>> sudo \ >>> " >>> >> >> Was the list possibly intended to list all packages explicitly that are security >> related? If not or that was incomplete anyway, this is fine. > > The original intention of the package list is to mention it explicitly all the packages required to achieve the security functionality, even though some of the packages are dependency packages of the main package. > > I Just want to remove the dependency packages because, their names are changed when different distribution version (buster, bullseye, etc) is used like below > [buster] > Package: nftables > Dep: libnftables0 > [bullseye] > Package: nftables > Dep: libnftables1 > So, I have removed the dependency packages here and allowed package-manager to install the correct dependency packages. OK, would be good to document that in the commit message. > > But, still there is problem when the main package itself has different name in the other distribution version, in this case should we have different recipe for each distribution version? Please suggest if there is any to resolve such scenarios. > [buster] > Package: libtss2-esys0 > [bullseye] > Package: libtss2-esys-3.0.2-0 OVERRIDES_append = ":${BASE_DISTRO_CODENAME}" IMAGE_PREINSTALL_append_buster = "libtss2-esys0" IMAGE_PREINSTALL_append_bullseye = "libtss2-esys-3.0.2-0" Jan
>-----Original Message----- >From: Jan Kiszka <jan.kiszka@siemens.com> >Sent: 16 November 2021 12:56 >To: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip- >dev@lists.cip-project.org >Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary >dependency package names > >On 16.11.21 06:11, Venkata.Pyla@toshiba-tsip.com wrote: >> >> >>> -----Original Message----- >>> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> >>> On Behalf Of Jan Kiszka >>> Sent: 16 November 2021 00:16 >>> To: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip- >>> dev@lists.cip-project.org >>> Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove >>> unnecessary dependency package names >>> >>> On 15.11.21 17:15, venkata.pyla@toshiba-tsip.com wrote: >>>> From: venkata pyla <venkata.pyla@toshiba-tsip.com> >>>> >>>> It is not necessary to mention dependency package names when parent >>>> package is present, the dependency packages will automatically >>>> install by isar framework. >>>> >>>> so removing the dependency packages which are not necessary. >>>> >>>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> >>>> --- >>>> recipes-core/images/cip-core-image-security.bb | 8 ++++---- >>>> 1 file changed, 4 insertions(+), 4 deletions(-) >>>> >>>> diff --git a/recipes-core/images/cip-core-image-security.bb >>>> b/recipes-core/images/cip-core-image-security.bb >>>> index 61ddc39..6c41b00 100644 >>>> --- a/recipes-core/images/cip-core-image-security.bb >>>> +++ b/recipes-core/images/cip-core-image-security.bb >>>> @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations" >>>> >>>> # Debian packages that provide security features IMAGE_PREINSTALL >>>> += " \ >>>> - openssl libssl1.1 \ >>>> + openssl \ >>>> fail2ban \ >>>> openssh-server openssh-sftp-server openssh-client \ >>>> syslog-ng-core syslog-ng-mod-journal \ >>>> - aide aide-common \ >>>> - libnftables0 nftables \ >>>> + aide \ >>>> + nftables \ >>>> libpam-pkcs11 \ >>>> chrony \ >>>> tpm2-tools \ >>>> @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \ >>>> libtss2-esys0 libtss2-udev \ >>>> libpam-cracklib \ >>>> acl \ >>>> - libauparse0 audispd-plugins auditd \ >>>> + audispd-plugins auditd \ >>>> uuid-runtime \ >>>> sudo \ >>>> " >>>> >>> >>> Was the list possibly intended to list all packages explicitly that >>> are security related? If not or that was incomplete anyway, this is fine. >> >> The original intention of the package list is to mention it explicitly all the >packages required to achieve the security functionality, even though some of >the packages are dependency packages of the main package. >> >> I Just want to remove the dependency packages because, their names are >> changed when different distribution version (buster, bullseye, etc) is used like >below [buster] >> Package: nftables >> Dep: libnftables0 >> [bullseye] >> Package: nftables >> Dep: libnftables1 >> So, I have removed the dependency packages here and allowed package- >manager to install the correct dependency packages. > >OK, would be good to document that in the commit message. I will resend the patch with adding this information in the commit. > >> >> But, still there is problem when the main package itself has different name in >the other distribution version, in this case should we have different recipe for >each distribution version? Please suggest if there is any to resolve such >scenarios. >> [buster] >> Package: libtss2-esys0 >> [bullseye] >> Package: libtss2-esys-3.0.2-0 > >OVERRIDES_append = ":${BASE_DISTRO_CODENAME}" > >IMAGE_PREINSTALL_append_buster = "libtss2-esys0" >IMAGE_PREINSTALL_append_bullseye = "libtss2-esys-3.0.2-0" Thank you for the suggestion, I will use this approach. > >Jan > >-- >Siemens AG, T RDA IOT >Corporate Competence Center Embedded Linux
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb index 61ddc39..6c41b00 100644 --- a/recipes-core/images/cip-core-image-security.bb +++ b/recipes-core/images/cip-core-image-security.bb @@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations" # Debian packages that provide security features IMAGE_PREINSTALL += " \ - openssl libssl1.1 \ + openssl \ fail2ban \ openssh-server openssh-sftp-server openssh-client \ syslog-ng-core syslog-ng-mod-journal \ - aide aide-common \ - libnftables0 nftables \ + aide \ + nftables \ libpam-pkcs11 \ chrony \ tpm2-tools \ @@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \ libtss2-esys0 libtss2-udev \ libpam-cracklib \ acl \ - libauparse0 audispd-plugins auditd \ + audispd-plugins auditd \ uuid-runtime \ sudo \ "