rpm: use libgcrypt instead of NSS for cryptography

Message ID 20191120161941.13360-1-ross.burton@intel.com
State New
Headers show
Series
  • rpm: use libgcrypt instead of NSS for cryptography
Related show

Commit Message

Ross Burton Nov. 20, 2019, 4:19 p.m.
RPM 4.15 by default will use libgcrypt instead of NSS for cryptography
functions, but as we didn't have libgcrypt in DEPENDS it kept using NSS.

As RPM is the sole user of NSS/NSPR in oe-core, moving to libgcrypt can make a
noticable difference to build time.  For example, building rpm (and packaging it
as RPMs) from scratch is five minutes faster with libgcrypt.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 .../rpm/files/gcrypt-use-pkgconfig.patch      | 51 +++++++++++++++++++
 meta/recipes-devtools/rpm/rpm_4.15.1.bb       |  5 +-
 2 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-devtools/rpm/files/gcrypt-use-pkgconfig.patch

-- 
2.20.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Mark Hatle Nov. 20, 2019, 5:51 p.m. | #1
Just as an ack.. Please get rid of NSS/NSPR ASAP, and move to libgcrypt.  Long
term it's a much much better solution.

--Mark

On 11/20/19 10:19 AM, Ross Burton wrote:
> RPM 4.15 by default will use libgcrypt instead of NSS for cryptography

> functions, but as we didn't have libgcrypt in DEPENDS it kept using NSS.

> 

> As RPM is the sole user of NSS/NSPR in oe-core, moving to libgcrypt can make a

> noticable difference to build time.  For example, building rpm (and packaging it

> as RPMs) from scratch is five minutes faster with libgcrypt.

> 

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  .../rpm/files/gcrypt-use-pkgconfig.patch      | 51 +++++++++++++++++++

>  meta/recipes-devtools/rpm/rpm_4.15.1.bb       |  5 +-

>  2 files changed, 54 insertions(+), 2 deletions(-)

>  create mode 100644 meta/recipes-devtools/rpm/files/gcrypt-use-pkgconfig.patch

> 

> diff --git a/meta/recipes-devtools/rpm/files/gcrypt-use-pkgconfig.patch b/meta/recipes-devtools/rpm/files/gcrypt-use-pkgconfig.patch

> new file mode 100644

> index 00000000000..8c72d2310b6

> --- /dev/null

> +++ b/meta/recipes-devtools/rpm/files/gcrypt-use-pkgconfig.patch

> @@ -0,0 +1,51 @@

> +Upstream-Status: Submitted [https://github.com/rpm-software-management/rpm/pull/942]

> +Signed-off-by: Ross Burton <ross.burton@intel.com>

> +

> +From 3f6cda568853bf7878df704adc75d4a78d75346c Mon Sep 17 00:00:00 2001

> +From: Ross Burton <ross.burton@intel.com>

> +Date: Wed, 20 Nov 2019 13:06:51 +0000

> +Subject: [PATCH] configure.ac: prefer pkg-config to find libgcrypt

> +

> +libgcrypt from 1.8.5 provides a pkg-config file as well as the traditional

> +libgcrypt-config script.  As pkg-config is more resiliant in the face of

> +complicated build environments (for example cross-compilation and sysroots)

> +prefer the pkg-config file, falling back to libgcrypt-config if that doesn't

> +exist.

> +---

> + configure.ac | 23 +++++++++++++++--------

> + 1 file changed, 15 insertions(+), 8 deletions(-)

> +

> +diff --git a/configure.ac b/configure.ac

> +index 0a3a9bbf4..6a3ea3615 100644

> +--- a/configure.ac

> ++++ b/configure.ac

> +@@ -395,14 +395,21 @@ AC_SUBST(WITH_OPENSSL_LIB)

> + WITH_LIBGCRYPT_INCLUDE=

> + WITH_LIBGCRYPT_LIB=

> + if test "$with_crypto" = libgcrypt ; then

> +-AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, notfound)

> +-if test notfound != "$LIBGCRYPT_CONFIG" ; then

> +-WITH_LIBGCRYPT_INCLUDE=`$LIBGCRYPT_CONFIG --cflags`

> +-WITH_LIBGCRYPT_LIB=`$LIBGCRYPT_CONFIG --libs`

> +-fi

> +-if test -z "$WITH_LIBGCRYPT_LIB" ; then

> +-AC_MSG_ERROR([libgcrypt not found])

> +-fi

> ++  # libgcrypt 1.8.5 onwards ships a pkg-config file so prefer that

> ++  PKG_CHECK_MODULES([LIBGCRYPT], [libgcrypt], [have_libgcrypt=yes], [have_libgcrypt=no])

> ++  if test "$have_libgcrypt" = "yes"; then

> ++    WITH_LIBGCRYPT_INCLUDE="$LIBGCRYPT_CFLAGS"

> ++    WITH_LIBGCRYPT_LIB="$LIBGCRYPT_LIBS"

> ++  else

> ++    AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, notfound)

> ++      if test notfound != "$LIBGCRYPT_CONFIG" ; then

> ++        WITH_LIBGCRYPT_INCLUDE=`$LIBGCRYPT_CONFIG --cflags`

> ++        WITH_LIBGCRYPT_LIB=`$LIBGCRYPT_CONFIG --libs`

> ++     fi

> ++     if test -z "$WITH_LIBGCRYPT_LIB" ; then

> ++       AC_MSG_ERROR([libgcrypt not found])

> ++    fi

> ++  fi

> + fi

> + 

> + AM_CONDITIONAL([WITH_LIBGCRYPT],[test "$with_crypto" = libgcrypt])

> diff --git a/meta/recipes-devtools/rpm/rpm_4.15.1.bb b/meta/recipes-devtools/rpm/rpm_4.15.1.bb

> index 4fa2d764fb9..f033cf33144 100644

> --- a/meta/recipes-devtools/rpm/rpm_4.15.1.bb

> +++ b/meta/recipes-devtools/rpm/rpm_4.15.1.bb

> @@ -38,6 +38,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.15.x \

>             file://0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch \

>             file://0016-rpmscript.c-change-logging-level-around-scriptlets-t.patch \

>             file://0001-rpmfc.c-do-not-run-file-classification-in-parallel.patch \

> +           file://gcrypt-use-pkgconfig.patch \

>             "

>  

>  PE = "1"

> @@ -45,7 +46,7 @@ SRCREV = "ab2179452c5be276a6b96c591afded485c7e58c3"

>  

>  S = "${WORKDIR}/git"

>  

> -DEPENDS = "nss libarchive db file popt xz bzip2 dbus elfutils python3"

> +DEPENDS = "libarchive libgcrypt db file popt xz bzip2 dbus elfutils python3"

>  DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native"

>  

>  inherit autotools gettext pkgconfig python3native

> @@ -54,7 +55,7 @@ export PYTHON_ABI

>  # OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe

>  EXTRA_AUTORECONF_append = " --exclude=gnu-configize"

>  

> -EXTRA_OECONF_append = " --without-lua --enable-python"

> +EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=libgcrypt"

>  EXTRA_OECONF_append_libc-musl = " --disable-nls"

>  

>  # --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs

> 

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton Nov. 20, 2019, 6:20 p.m. | #2
On 20/11/2019 17:51, Mark Hatle wrote:
> Just as an ack.. Please get rid of NSS/NSPR ASAP, and move to libgcrypt.  Long

> term it's a much much better solution.


Absolutely.  I saw nss fly past in a build and was surprised we still 
needed it.

This is the last user in oe-core currently, but meta-oe has several. 
Including mozjs, which might end up in core...

Ross

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Patch

diff --git a/meta/recipes-devtools/rpm/files/gcrypt-use-pkgconfig.patch b/meta/recipes-devtools/rpm/files/gcrypt-use-pkgconfig.patch
new file mode 100644
index 00000000000..8c72d2310b6
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/gcrypt-use-pkgconfig.patch
@@ -0,0 +1,51 @@ 
+Upstream-Status: Submitted [https://github.com/rpm-software-management/rpm/pull/942]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 3f6cda568853bf7878df704adc75d4a78d75346c Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Wed, 20 Nov 2019 13:06:51 +0000
+Subject: [PATCH] configure.ac: prefer pkg-config to find libgcrypt
+
+libgcrypt from 1.8.5 provides a pkg-config file as well as the traditional
+libgcrypt-config script.  As pkg-config is more resiliant in the face of
+complicated build environments (for example cross-compilation and sysroots)
+prefer the pkg-config file, falling back to libgcrypt-config if that doesn't
+exist.
+---
+ configure.ac | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 0a3a9bbf4..6a3ea3615 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -395,14 +395,21 @@ AC_SUBST(WITH_OPENSSL_LIB)
+ WITH_LIBGCRYPT_INCLUDE=
+ WITH_LIBGCRYPT_LIB=
+ if test "$with_crypto" = libgcrypt ; then
+-AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, notfound)
+-if test notfound != "$LIBGCRYPT_CONFIG" ; then
+-WITH_LIBGCRYPT_INCLUDE=`$LIBGCRYPT_CONFIG --cflags`
+-WITH_LIBGCRYPT_LIB=`$LIBGCRYPT_CONFIG --libs`
+-fi
+-if test -z "$WITH_LIBGCRYPT_LIB" ; then
+-AC_MSG_ERROR([libgcrypt not found])
+-fi
++  # libgcrypt 1.8.5 onwards ships a pkg-config file so prefer that
++  PKG_CHECK_MODULES([LIBGCRYPT], [libgcrypt], [have_libgcrypt=yes], [have_libgcrypt=no])
++  if test "$have_libgcrypt" = "yes"; then
++    WITH_LIBGCRYPT_INCLUDE="$LIBGCRYPT_CFLAGS"
++    WITH_LIBGCRYPT_LIB="$LIBGCRYPT_LIBS"
++  else
++    AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, notfound)
++      if test notfound != "$LIBGCRYPT_CONFIG" ; then
++        WITH_LIBGCRYPT_INCLUDE=`$LIBGCRYPT_CONFIG --cflags`
++        WITH_LIBGCRYPT_LIB=`$LIBGCRYPT_CONFIG --libs`
++     fi
++     if test -z "$WITH_LIBGCRYPT_LIB" ; then
++       AC_MSG_ERROR([libgcrypt not found])
++    fi
++  fi
+ fi
+ 
+ AM_CONDITIONAL([WITH_LIBGCRYPT],[test "$with_crypto" = libgcrypt])
diff --git a/meta/recipes-devtools/rpm/rpm_4.15.1.bb b/meta/recipes-devtools/rpm/rpm_4.15.1.bb
index 4fa2d764fb9..f033cf33144 100644
--- a/meta/recipes-devtools/rpm/rpm_4.15.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.15.1.bb
@@ -38,6 +38,7 @@  SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.15.x \
            file://0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch \
            file://0016-rpmscript.c-change-logging-level-around-scriptlets-t.patch \
            file://0001-rpmfc.c-do-not-run-file-classification-in-parallel.patch \
+           file://gcrypt-use-pkgconfig.patch \
            "
 
 PE = "1"
@@ -45,7 +46,7 @@  SRCREV = "ab2179452c5be276a6b96c591afded485c7e58c3"
 
 S = "${WORKDIR}/git"
 
-DEPENDS = "nss libarchive db file popt xz bzip2 dbus elfutils python3"
+DEPENDS = "libarchive libgcrypt db file popt xz bzip2 dbus elfutils python3"
 DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native"
 
 inherit autotools gettext pkgconfig python3native
@@ -54,7 +55,7 @@  export PYTHON_ABI
 # OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe
 EXTRA_AUTORECONF_append = " --exclude=gnu-configize"
 
-EXTRA_OECONF_append = " --without-lua --enable-python"
+EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=libgcrypt"
 EXTRA_OECONF_append_libc-musl = " --disable-nls"
 
 # --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs