dropbear: don't use IMAGE_FEATURES

Submitted by Martin Jansa on Jan. 7, 2013, 11:15 a.m.

Details

Message ID 1357557340-28756-1-git-send-email-Martin.Jansa@gmail.com
State Not Applicable, archived
Headers show

Commit Message

Martin Jansa Jan. 7, 2013, 11:15 a.m.
* IMAGE_FEATURES are image specific, but dropbear recipe isn't
* if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
  IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
  to debug as expected, but if you add debug-tweaks only in
  your-own-debug-image, then dropbear never sees debug-tweaks and
  your-own-debug-image won't allow empty password login.
* best way would be to patch dropbear to enable empty password by
  runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
  like openssh_allow_empty_password does, see
  http://permalink.gmane.org/gmane.network.ssh.dropbear/845

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
---
 meta/recipes-core/dropbear/dropbear.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index aa313df..2c170c6 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -2,7 +2,7 @@  DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation"
 HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
 SECTION = "console/network"
 
-INC_PR = "r0"
+INC_PR = "r1"
 
 # some files are from other projects and have others license terms:
 #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
@@ -40,7 +40,7 @@  EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
 EXTRA_OECONF += "\
  ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
 
-DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}"
+DISTRO_TYPE ?= "debug"
 
 do_install() {
 	install -d ${D}${sysconfdir} \

Comments

Otavio Salvador Jan. 7, 2013, 11:22 a.m.
On Mon, Jan 7, 2013 at 9:15 AM, Martin Jansa <martin.jansa@gmail.com> wrote:
> * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
>   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
>   to debug as expected, but if you add debug-tweaks only in
>   your-own-debug-image, then dropbear never sees debug-tweaks and
>   your-own-debug-image won't allow empty password login.
> * best way would be to patch dropbear to enable empty password by
>   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
>   like openssh_allow_empty_password does, see
>   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
>
> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

I just fail to see why to keep using DISTRO_TYPE in dropbear in this
case. You could just always include the patch.

Do you have any specific reason?

--
Otavio Salvador                             O.S. Systems
E-mail: otavio@ossystems.com.br  http://www.ossystems.com.br
Mobile: +55 53 9981-7854              http://projetos.ossystems.com.br
Richard Purdie Jan. 7, 2013, 11:36 a.m.
On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
>   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
>   to debug as expected, but if you add debug-tweaks only in
>   your-own-debug-image, then dropbear never sees debug-tweaks and
>   your-own-debug-image won't allow empty password login.
> * best way would be to patch dropbear to enable empty password by
>   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
>   like openssh_allow_empty_password does, see
>   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> 
> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> ---
>  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> index aa313df..2c170c6 100644
> --- a/meta/recipes-core/dropbear/dropbear.inc
> +++ b/meta/recipes-core/dropbear/dropbear.inc
> @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation"
>  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
>  SECTION = "console/network"
>  
> -INC_PR = "r0"
> +INC_PR = "r1"
>  
>  # some files are from other projects and have others license terms:
>  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
>  EXTRA_OECONF += "\
>   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
>  
> -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}"
> +DISTRO_TYPE ?= "debug"
>  
>  do_install() {
>  	install -d ${D}${sysconfdir} \

How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
DISTRO_FEATURES? This would bring it more into line with the other
places we do things like this.

FWIW I agree this should ideally be runtime configured and we should
really add an enhancement request to the bugzilla for that (or patches
welcome).

Cheers,

Richard
Martin Jansa Jan. 7, 2013, 12:04 p.m.
On Mon, Jan 07, 2013 at 11:36:13AM +0000, Richard Purdie wrote:
> On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> >   to debug as expected, but if you add debug-tweaks only in
> >   your-own-debug-image, then dropbear never sees debug-tweaks and
> >   your-own-debug-image won't allow empty password login.
> > * best way would be to patch dropbear to enable empty password by
> >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> >   like openssh_allow_empty_password does, see
> >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > 
> > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > ---
> >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> > index aa313df..2c170c6 100644
> > --- a/meta/recipes-core/dropbear/dropbear.inc
> > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP implementation"
> >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> >  SECTION = "console/network"
> >  
> > -INC_PR = "r0"
> > +INC_PR = "r1"
> >  
> >  # some files are from other projects and have others license terms:
> >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
> >  EXTRA_OECONF += "\
> >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}"
> >  
> > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks", "debug", "",d)}"
> > +DISTRO_TYPE ?= "debug"
> >  
> >  do_install() {
> >  	install -d ${D}${sysconfdir} \
> 
> How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> DISTRO_FEATURES? This would bring it more into line with the other
> places we do things like this.

Fine with me, I don't use dropbear, but I've spent some time to debug
why drobear sometimes doesn't work as expected and shared this change
just to make it more deterministic.

I'm fine with debug-tweaks DISTRO_FEATURES but afaik it's first use and
can be confusing with IMAGE_FEATURES with the same name, that's why I've
kept DISTRO_TYPE which was used at least in OE-classic days.

Cheers,

> FWIW I agree this should ideally be runtime configured and we should
> really add an enhancement request to the bugzilla for that (or patches
> welcome).
Paul Eggleton Jan. 7, 2013, 8:11 p.m.
On Monday 07 January 2013 11:36:13 Richard Purdie wrote:
> On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> > 
> >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> >   to debug as expected, but if you add debug-tweaks only in
> >   your-own-debug-image, then dropbear never sees debug-tweaks and
> >   your-own-debug-image won't allow empty password login.
> > 
> > * best way would be to patch dropbear to enable empty password by
> > 
> >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> >   like openssh_allow_empty_password does, see
> >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > 
> > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > ---
> > 
> >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/meta/recipes-core/dropbear/dropbear.inc
> > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644
> > --- a/meta/recipes-core/dropbear/dropbear.inc
> > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP
> > implementation"> 
> >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> >  SECTION = "console/network"
> > 
> > -INC_PR = "r0"
> > +INC_PR = "r1"
> > 
> >  # some files are from other projects and have others license terms:
> >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > 
> > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1
> > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> 
> >  EXTRA_OECONF += "\
> >  
> >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam',
> >   '--disable-pam', d)}"> 
> > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks",
> > "debug", "",d)}" +DISTRO_TYPE ?= "debug"
> > 
> >  do_install() {
> >  
> >  	install -d ${D}${sysconfdir} \
> 
> How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> DISTRO_FEATURES? This would bring it more into line with the other
> places we do things like this.
> 
> FWIW I agree this should ideally be runtime configured and we should
> really add an enhancement request to the bugzilla for that (or patches
> welcome).

There's already a request open:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578

I'd suggest leaving the current behaviour (poor as it may be) until that bug 
is fixed.

Cheers,
Paul
Martin Jansa Jan. 7, 2013, 8:31 p.m.
On Mon, Jan 07, 2013 at 08:11:58PM +0000, Paul Eggleton wrote:
> On Monday 07 January 2013 11:36:13 Richard Purdie wrote:
> > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> > > 
> > >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> > >   to debug as expected, but if you add debug-tweaks only in
> > >   your-own-debug-image, then dropbear never sees debug-tweaks and
> > >   your-own-debug-image won't allow empty password login.
> > > 
> > > * best way would be to patch dropbear to enable empty password by
> > > 
> > >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> > >   like openssh_allow_empty_password does, see
> > >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > > 
> > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > > ---
> > > 
> > >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/meta/recipes-core/dropbear/dropbear.inc
> > > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644
> > > --- a/meta/recipes-core/dropbear/dropbear.inc
> > > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP
> > > implementation"> 
> > >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> > >  SECTION = "console/network"
> > > 
> > > -INC_PR = "r0"
> > > +INC_PR = "r1"
> > > 
> > >  # some files are from other projects and have others license terms:
> > >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > > 
> > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1
> > > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> 
> > >  EXTRA_OECONF += "\
> > >  
> > >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam',
> > >   '--disable-pam', d)}"> 
> > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks",
> > > "debug", "",d)}" +DISTRO_TYPE ?= "debug"
> > > 
> > >  do_install() {
> > >  
> > >  	install -d ${D}${sysconfdir} \
> > 
> > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> > DISTRO_FEATURES? This would bring it more into line with the other
> > places we do things like this.
> > 
> > FWIW I agree this should ideally be runtime configured and we should
> > really add an enhancement request to the bugzilla for that (or patches
> > welcome).
> 
> There's already a request open:
> 
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578
> 
> I'd suggest leaving the current behaviour (poor as it may be) until that bug 
> is fixed.

Building with OEBasic won't rebuild dropbear to suit IMAGE_FEATURES of
currently build image and even with OEBasicHash I don't know which
dropbear version will be used if I build 2 different images:
bitbake foo-image foo-debug-image

So changing it one way or another is IMHO improvement of current
situation until that bug is fixed properly.

Cheers,
Richard Purdie Jan. 7, 2013, 8:46 p.m.
On Mon, 2013-01-07 at 21:31 +0100, Martin Jansa wrote:
> On Mon, Jan 07, 2013 at 08:11:58PM +0000, Paul Eggleton wrote:
> > On Monday 07 January 2013 11:36:13 Richard Purdie wrote:
> > > On Mon, 2013-01-07 at 12:15 +0100, Martin Jansa wrote:
> > > > * IMAGE_FEATURES are image specific, but dropbear recipe isn't
> > > > * if you have debug-tweaks in EXTRA_IMAGE_FEATURES or added to
> > > > 
> > > >   IMAGE_FEATURES in distro config, then it will set DISTRO_TYPE
> > > >   to debug as expected, but if you add debug-tweaks only in
> > > >   your-own-debug-image, then dropbear never sees debug-tweaks and
> > > >   your-own-debug-image won't allow empty password login.
> > > > 
> > > > * best way would be to patch dropbear to enable empty password by
> > > > 
> > > >   runtime config or argument and enable it in ROOTFS_POSTPROCESS_COMMAND
> > > >   like openssh_allow_empty_password does, see
> > > >   http://permalink.gmane.org/gmane.network.ssh.dropbear/845
> > > > 
> > > > Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
> > > > ---
> > > > 
> > > >  meta/recipes-core/dropbear/dropbear.inc | 4 ++--
> > > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/meta/recipes-core/dropbear/dropbear.inc
> > > > b/meta/recipes-core/dropbear/dropbear.inc index aa313df..2c170c6 100644
> > > > --- a/meta/recipes-core/dropbear/dropbear.inc
> > > > +++ b/meta/recipes-core/dropbear/dropbear.inc
> > > > @@ -2,7 +2,7 @@ DESCRIPTION = "Dropbear is a lightweight SSH and SCP
> > > > implementation"> 
> > > >  HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
> > > >  SECTION = "console/network"
> > > > 
> > > > -INC_PR = "r0"
> > > > +INC_PR = "r1"
> > > > 
> > > >  # some files are from other projects and have others license terms:
> > > >  #   public domain, OpenSSH 3.5p1, OpenSSH3.6.1p2, PuTTY
> > > > 
> > > > @@ -40,7 +40,7 @@ EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1
> > > > PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'> 
> > > >  EXTRA_OECONF += "\
> > > >  
> > > >   ${@base_contains('DISTRO_FEATURES', 'pam', '--enable-pam',
> > > >   '--disable-pam', d)}"> 
> > > > -DISTRO_TYPE ?= "${@base_contains("IMAGE_FEATURES", "debug-tweaks",
> > > > "debug", "",d)}" +DISTRO_TYPE ?= "debug"
> > > > 
> > > >  do_install() {
> > > >  
> > > >  	install -d ${D}${sysconfdir} \
> > > 
> > > How about we ditch DISTRO_TYPE entirely and check for "debug-tweaks" in
> > > DISTRO_FEATURES? This would bring it more into line with the other
> > > places we do things like this.
> > > 
> > > FWIW I agree this should ideally be runtime configured and we should
> > > really add an enhancement request to the bugzilla for that (or patches
> > > welcome).
> > 
> > There's already a request open:
> > 
> > https://bugzilla.yoctoproject.org/show_bug.cgi?id=2578
> > 
> > I'd suggest leaving the current behaviour (poor as it may be) until that bug 
> > is fixed.
> 
> Building with OEBasic won't rebuild dropbear to suit IMAGE_FEATURES of
> currently build image and even with OEBasicHash I don't know which
> dropbear version will be used if I build 2 different images:
> bitbake foo-image foo-debug-image
> 
> So changing it one way or another is IMHO improvement of current
> situation until that bug is fixed properly.

Having looked into it more, the current situation is a complete mess and
for something security sensitive like this, it *needs* to behave better.
I just raised the priority of the task (medium+).

Cheers,

Richard