[PATCH] cip-core-image-security: remove unnecessary dependency package names


Venkata Pyla
 

From: venkata pyla <venkata.pyla@...>

It is not necessary to mention dependency package names when parent
package is present, the dependency packages will automatically
install by isar framework.

so removing the dependency packages which are not necessary.

Signed-off-by: venkata pyla <venkata.pyla@...>
---
recipes-core/images/cip-core-image-security.bb | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..6c41b00 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"

# Debian packages that provide security features
IMAGE_PREINSTALL += " \
- openssl libssl1.1 \
+ openssl \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
syslog-ng-core syslog-ng-mod-journal \
- aide aide-common \
- libnftables0 nftables \
+ aide \
+ nftables \
libpam-pkcs11 \
chrony \
tpm2-tools \
@@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
libtss2-esys0 libtss2-udev \
libpam-cracklib \
acl \
- libauparse0 audispd-plugins auditd \
+ audispd-plugins auditd \
uuid-runtime \
sudo \
"
--
2.20.1


Jan Kiszka
 

On 15.11.21 17:15, venkata.pyla@... wrote:
From: venkata pyla <venkata.pyla@...>

It is not necessary to mention dependency package names when parent
package is present, the dependency packages will automatically
install by isar framework.

so removing the dependency packages which are not necessary.

Signed-off-by: venkata pyla <venkata.pyla@...>
---
recipes-core/images/cip-core-image-security.bb | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..6c41b00 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"

# Debian packages that provide security features
IMAGE_PREINSTALL += " \
- openssl libssl1.1 \
+ openssl \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
syslog-ng-core syslog-ng-mod-journal \
- aide aide-common \
- libnftables0 nftables \
+ aide \
+ nftables \
libpam-pkcs11 \
chrony \
tpm2-tools \
@@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
libtss2-esys0 libtss2-udev \
libpam-cracklib \
acl \
- libauparse0 audispd-plugins auditd \
+ audispd-plugins auditd \
uuid-runtime \
sudo \
"
Was the list possibly intended to list all packages explicitly that are
security related? If not or that was incomplete anyway, this is fine.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Venkata Pyla
 

-----Original Message-----
From: cip-dev@... <cip-dev@...> On Behalf Of
Jan Kiszka
Sent: 16 November 2021 00:16
To: pyla venkata(TSIP) <Venkata.Pyla@...>; cip-
dev@...
Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary
dependency package names

On 15.11.21 17:15, venkata.pyla@... wrote:
From: venkata pyla <venkata.pyla@...>

It is not necessary to mention dependency package names when parent
package is present, the dependency packages will automatically install
by isar framework.

so removing the dependency packages which are not necessary.

Signed-off-by: venkata pyla <venkata.pyla@...>
---
recipes-core/images/cip-core-image-security.bb | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb
b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..6c41b00 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"

# Debian packages that provide security features IMAGE_PREINSTALL +=
" \
- openssl libssl1.1 \
+ openssl \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
syslog-ng-core syslog-ng-mod-journal \
- aide aide-common \
- libnftables0 nftables \
+ aide \
+ nftables \
libpam-pkcs11 \
chrony \
tpm2-tools \
@@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
libtss2-esys0 libtss2-udev \
libpam-cracklib \
acl \
- libauparse0 audispd-plugins auditd \
+ audispd-plugins auditd \
uuid-runtime \
sudo \
"
Was the list possibly intended to list all packages explicitly that are security
related? If not or that was incomplete anyway, this is fine.
The original intention of the package list is to mention it explicitly all the packages required to achieve the security functionality, even though some of the packages are dependency packages of the main package.

I Just want to remove the dependency packages because, their names are changed when different distribution version (buster, bullseye, etc) is used like below
[buster]
Package: nftables
Dep: libnftables0
[bullseye]
Package: nftables
Dep: libnftables1
So, I have removed the dependency packages here and allowed package-manager to install the correct dependency packages.

But, still there is problem when the main package itself has different name in the other distribution version, in this case should we have different recipe for each distribution version? Please suggest if there is any to resolve such scenarios.
[buster]
Package: libtss2-esys0
[bullseye]
Package: libtss2-esys-3.0.2-0

Thanks
Venkata.


Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Jan Kiszka
 

On 16.11.21 06:11, Venkata.Pyla@... wrote:


-----Original Message-----
From: cip-dev@... <cip-dev@...> On Behalf Of
Jan Kiszka
Sent: 16 November 2021 00:16
To: pyla venkata(TSIP) <Venkata.Pyla@...>; cip-
dev@...
Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary
dependency package names

On 15.11.21 17:15, venkata.pyla@... wrote:
From: venkata pyla <venkata.pyla@...>

It is not necessary to mention dependency package names when parent
package is present, the dependency packages will automatically install
by isar framework.

so removing the dependency packages which are not necessary.

Signed-off-by: venkata pyla <venkata.pyla@...>
---
recipes-core/images/cip-core-image-security.bb | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb
b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..6c41b00 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"

# Debian packages that provide security features IMAGE_PREINSTALL +=
" \
- openssl libssl1.1 \
+ openssl \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
syslog-ng-core syslog-ng-mod-journal \
- aide aide-common \
- libnftables0 nftables \
+ aide \
+ nftables \
libpam-pkcs11 \
chrony \
tpm2-tools \
@@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
libtss2-esys0 libtss2-udev \
libpam-cracklib \
acl \
- libauparse0 audispd-plugins auditd \
+ audispd-plugins auditd \
uuid-runtime \
sudo \
"
Was the list possibly intended to list all packages explicitly that are security
related? If not or that was incomplete anyway, this is fine.
The original intention of the package list is to mention it explicitly all the packages required to achieve the security functionality, even though some of the packages are dependency packages of the main package.

I Just want to remove the dependency packages because, their names are changed when different distribution version (buster, bullseye, etc) is used like below
[buster]
Package: nftables
Dep: libnftables0
[bullseye]
Package: nftables
Dep: libnftables1
So, I have removed the dependency packages here and allowed package-manager to install the correct dependency packages.
OK, would be good to document that in the commit message.


But, still there is problem when the main package itself has different name in the other distribution version, in this case should we have different recipe for each distribution version? Please suggest if there is any to resolve such scenarios.
[buster]
Package: libtss2-esys0
[bullseye]
Package: libtss2-esys-3.0.2-0
OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"

IMAGE_PREINSTALL_append_buster = "libtss2-esys0"
IMAGE_PREINSTALL_append_bullseye = "libtss2-esys-3.0.2-0"

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux


Venkata Pyla
 

-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: 16 November 2021 12:56
To: pyla venkata(TSIP) <Venkata.Pyla@...>; cip-
dev@...
Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove unnecessary
dependency package names

On 16.11.21 06:11, Venkata.Pyla@... wrote:


-----Original Message-----
From: cip-dev@... <cip-dev@...>
On Behalf Of Jan Kiszka
Sent: 16 November 2021 00:16
To: pyla venkata(TSIP) <Venkata.Pyla@...>; cip-
dev@...
Subject: Re: [cip-dev] [PATCH] cip-core-image-security: remove
unnecessary dependency package names

On 15.11.21 17:15, venkata.pyla@... wrote:
From: venkata pyla <venkata.pyla@...>

It is not necessary to mention dependency package names when parent
package is present, the dependency packages will automatically
install by isar framework.

so removing the dependency packages which are not necessary.

Signed-off-by: venkata pyla <venkata.pyla@...>
---
recipes-core/images/cip-core-image-security.bb | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-core/images/cip-core-image-security.bb
b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..6c41b00 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -17,12 +17,12 @@ IMAGE_INSTALL += "security-customizations"

# Debian packages that provide security features IMAGE_PREINSTALL
+= " \
- openssl libssl1.1 \
+ openssl \
fail2ban \
openssh-server openssh-sftp-server openssh-client \
syslog-ng-core syslog-ng-mod-journal \
- aide aide-common \
- libnftables0 nftables \
+ aide \
+ nftables \
libpam-pkcs11 \
chrony \
tpm2-tools \
@@ -30,7 +30,7 @@ IMAGE_PREINSTALL += " \
libtss2-esys0 libtss2-udev \
libpam-cracklib \
acl \
- libauparse0 audispd-plugins auditd \
+ audispd-plugins auditd \
uuid-runtime \
sudo \
"
Was the list possibly intended to list all packages explicitly that
are security related? If not or that was incomplete anyway, this is fine.
The original intention of the package list is to mention it explicitly all the
packages required to achieve the security functionality, even though some of
the packages are dependency packages of the main package.

I Just want to remove the dependency packages because, their names are
changed when different distribution version (buster, bullseye, etc) is used like
below [buster]
Package: nftables
Dep: libnftables0
[bullseye]
Package: nftables
Dep: libnftables1
So, I have removed the dependency packages here and allowed package-
manager to install the correct dependency packages.

OK, would be good to document that in the commit message.
I will resend the patch with adding this information in the commit.



But, still there is problem when the main package itself has different name in
the other distribution version, in this case should we have different recipe for
each distribution version? Please suggest if there is any to resolve such
scenarios.
[buster]
Package: libtss2-esys0
[bullseye]
Package: libtss2-esys-3.0.2-0
OVERRIDES_append = ":${BASE_DISTRO_CODENAME}"

IMAGE_PREINSTALL_append_buster = "libtss2-esys0"
IMAGE_PREINSTALL_append_bullseye = "libtss2-esys-3.0.2-0"
Thank you for the suggestion, I will use this approach.


Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux