c20b2ae4ec
Commit2c5a82a29c(package/openssh: select linux-pam if refpolicy upstream is selected) did not account for the linux-pam dependencies before selecting it, causing unmet dependencies warnings (unfortunately, not errors), such as: $ KCONFIG_SEED=0xCF227CF4 make randconfig WARNING: unmet direct dependencies detected for BR2_PACKAGE_LINUX_PAM Depends on [n]: BR2_ENABLE_LOCALE [=n] && BR2_USE_WCHAR [=n] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 [=y] Selected by [y]: - BR2_PACKAGE_OPENSSH [=y] && BR2_USE_MMU [=y] && BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION [=y]2c5a82a29cmade the choice of having openssl bear the responsibility to select linux-pam when the upstream refpolicy version was enabled. Semantically however, the responsibility really lies within refpolicy itself, since that's what imposes linux-pam to openssh. Move the select to refpolicy and drop it from openssh. Then, ensure that linux-pam is only selected when it is available. That means that one may get an openssh that is not linked against linux-pam, when the linux-pam dependencies are not met; refpolicy (by way of libsepol) also has a more stringent requirement on gcc version than linux-pam, so most probably the missing dependencies would be locale, wchar, or a static build. We consider that situation to be a corner case that we do not want to address. In the future, we may have more similar situations, whereby refpolicy would impose other packages be linked with otherwise optional dependencies. If (when) that were (will be) the case, then the proposed mechanism would quickly become ugly; we could then re-assess a nicer way to do that. Until then, this is good ebough. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Adam Duskett <adam.duskett@amarulasolutions.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
43 lines
953 B
Plaintext
43 lines
953 B
Plaintext
config BR2_PACKAGE_OPENSSH
|
|
bool "openssh"
|
|
depends on BR2_USE_MMU # fork()
|
|
select BR2_PACKAGE_OPENSSL
|
|
select BR2_PACKAGE_ZLIB
|
|
help
|
|
A free version of the SSH protocol suite of network
|
|
connectivity tools. The standard 'ssh', 'sshd', 'scp', and
|
|
friends.
|
|
|
|
http://www.openssh.com/
|
|
|
|
if BR2_PACKAGE_OPENSSH
|
|
|
|
config BR2_PACKAGE_OPENSSH_CLIENT
|
|
bool "client"
|
|
default y
|
|
help
|
|
Client programs: ssh, scp, sftp, ssh-agent, ssh-add,
|
|
ssh-copy-id.
|
|
|
|
config BR2_PACKAGE_OPENSSH_SERVER
|
|
bool "server"
|
|
default y
|
|
help
|
|
Server programs: sshd, sftp-server
|
|
|
|
config BR2_PACKAGE_OPENSSH_KEY_UTILS
|
|
bool "key utilities"
|
|
default y
|
|
help
|
|
Key utilities: ssh-keygen, ssh-keyscan.
|
|
|
|
config BR2_PACKAGE_OPENSSH_SANDBOX
|
|
bool "use sandboxing"
|
|
default y
|
|
help
|
|
Use sandboxing for extra privilege protection of processes.
|
|
|
|
This is normally preferable, but may cause seccomp problems
|
|
for certain combinations of C libraries and kernel versions.
|
|
endif
|