this fixes authentication issues with geary and tls connection

Signed-off-by: Markus Volk <f_l_k@...>
---
meta/recipes-core/glib-networking/glib-networking_2.72.0.bb | 2 +-
meta/recipes-support/gnutls/gnutls_3.7.4.bb | 2 +-
meta/recipes-support/p11-kit/p11-kit_0.24.1.bb | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb =
b/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
index d578f17aa5..73827b0a85 100644
--- a/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
@@ -11,7 +11,7 @@ DEPENDS =3D "glib-2.0"
=20
SRC_URI[archive.sha256sum] =3D "100aaebb369285041de52da422b6b716789d5e4d=
7549a3a71ba587b932e0823b"
=20
-PACKAGECONFIG ??=3D "openssl ${@bb.utils.contains('PTEST_ENABLED', '1', =
'tests', '', d)}"
+PACKAGECONFIG ??=3D "openssl gnutls ${@bb.utils.contains('PTEST_ENABLED'=
, '1', 'tests', '', d)}"
=20
PACKAGECONFIG[gnutls] =3D "-Dgnutls=3Denabled,-Dgnutls=3Ddisabled,gnutls=
"
PACKAGECONFIG[openssl] =3D "-Dopenssl=3Denabled,-Dopenssl=3Ddisabled,ope=
nssl"
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-s=
upport/gnutls/gnutls_3.7.4.bb
index b34eb7f5f0..c2bb1da8be 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -27,7 +27,7 @@ SRC_URI[sha256sum] =3D "e6adbebcfbc95867de01060d93c7899=
38cf89cc1d1f6ef9ef661890f62
=20
inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
=20
-PACKAGECONFIG ??=3D "libidn ${@bb.utils.filter('DISTRO_FEATURES', 'secc=
omp', d)}"
+PACKAGECONFIG ??=3D "libidn p11-kit ${@bb.utils.filter('DISTRO_FEATURES'=
, 'seccomp', d)}"
=20
# You must also have CONFIG_SECCOMP enabled in the kernel for
# seccomp to work.
diff --git a/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb b/meta/recipe=
s-support/p11-kit/p11-kit_0.24.1.bb
index 59cbb67961..32c382489e 100644
--- a/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb
+++ b/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb
@@ -14,7 +14,7 @@ SRC_URI =3D "git://github.com/p11-glue/p11-kit;branch=3D=
master;protocol=3Dhttps"
SRCREV =3D "dd0590d4e583f107e3e9fafe9ed754149da335d0"
S =3D "${WORKDIR}/git"
=20
-PACKAGECONFIG ??=3D ""
+PACKAGECONFIG ??=3D "trust-paths"
PACKAGECONFIG[manpages] =3D "-Dman=3Dtrue,-Dman=3Dfalse,libxslt-native"
PACKAGECONFIG[trust-paths] =3D "-Dtrust_paths=3D/etc/ssl/certs/ca-certif=
icates.crt,,,ca-certificates"
=20
@@ -29,4 +29,4 @@ FILES:${PN} +=3D " \
# PN contains p11-kit-proxy.so, a symlink to a loadable module
INSANE_SKIP:${PN} =3D "dev-so"
=20
-BBCLASSEXTEND =3D "nativesdk"
+BBCLASSEXTEND =3D "native nativesdk"
--=20
2.25.1

--

On Sun, Apr 10, 2022 at 10:29 AM Markus Volk <f_l_k@...> wrote:

this fixes authentication issues with geary and tls connection

Signed-off-by: Markus Volk <f_l_k@...>
---
meta/recipes-core/glib-networking/glib-networking_2.72.0.bb | 2 +-
meta/recipes-support/gnutls/gnutls_3.7.4.bb | 2 +-
meta/recipes-support/p11-kit/p11-kit_0.24.1.bb | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb b/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
index d578f17aa5..73827b0a85 100644
--- a/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
@@ -11,7 +11,7 @@ DEPENDS = "glib-2.0"

SRC_URI[archive.sha256sum] = "100aaebb369285041de52da422b6b716789d5e4d7549a3a71ba587b932e0823b"

-PACKAGECONFIG ??= "openssl ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"
+PACKAGECONFIG ??= "openssl gnutls ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"

This should either be gnutls or openssl, not both. But aside from
that, gnutls brings (L)GPLv3 issues and therefore should not be
enabled by default.

Are you saying that some glib-networking functionality works when
using gnutls but does not work when using openssl? If so, is it a
known limitation? Or a bug? If a bug, has it been reported upstream?
The commit message should explain those kinds of details.

PACKAGECONFIG[gnutls] = "-Dgnutls=enabled,-Dgnutls=disabled,gnutls"
PACKAGECONFIG[openssl] = "-Dopenssl=enabled,-Dopenssl=disabled,openssl"
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index b34eb7f5f0..c2bb1da8be 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -27,7 +27,7 @@ SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f62

inherit autotools texinfo pkgconfig gettext lib_package gtk-doc

-PACKAGECONFIG ??= "libidn ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)}"
+PACKAGECONFIG ??= "libidn p11-kit ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)}"

# You must also have CONFIG_SECCOMP enabled in the kernel for
# seccomp to work.
diff --git a/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb b/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb
index 59cbb67961..32c382489e 100644
--- a/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb
+++ b/meta/recipes-support/p11-kit/p11-kit_0.24.1.bb
@@ -14,7 +14,7 @@ SRC_URI = "git://github.com/p11-glue/p11-kit;branch=master;protocol=https"
SRCREV = "dd0590d4e583f107e3e9fafe9ed754149da335d0"
S = "${WORKDIR}/git"

-PACKAGECONFIG ??= ""
+PACKAGECONFIG ??= "trust-paths"
PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native"
PACKAGECONFIG[trust-paths] = "-Dtrust_paths=/etc/ssl/certs/ca-certificates.crt,,,ca-certificates"

@@ -29,4 +29,4 @@ FILES:${PN} += " \
# PN contains p11-kit-proxy.so, a symlink to a loadable module
INSANE_SKIP:${PN} = "dev-so"

-BBCLASSEXTEND = "nativesdk"
+BBCLASSEXTEND = "native nativesdk"
--
2.25.1

On Sun, Apr 10, 2022 at 10:29 AM Markus Volk <f_l_k@...> wrote:

this fixes authentication issues with geary and tls connection

Signed-off-by: Markus Volk <f_l_k@...>
---
 meta/recipes-core/glib-networking/glib-networking_2.72.0.bb | 2 +-
 meta/recipes-support/gnutls/gnutls_3.7.4.bb                 | 2 +-
 meta/recipes-support/p11-kit/p11-kit_0.24.1.bb              | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb b/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
index d578f17aa5..73827b0a85 100644
--- a/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
@@ -11,7 +11,7 @@ DEPENDS = "glib-2.0"

 SRC_URI[archive.sha256sum] = "100aaebb369285041de52da422b6b716789d5e4d7549a3a71ba587b932e0823b"

-PACKAGECONFIG ??= "openssl ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"
+PACKAGECONFIG ??= "openssl gnutls ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"

This should either be gnutls or openssl, not both. But aside from
that, gnutls brings (L)GPLv3 issues and therefore should not be
enabled by default.

In a perfect world, I would say you are right. There should not even exist more than one implementation.

In reality, at least for now, geary is broken with openssl.

As for your concern about gplv3 issues. As far as I know, the core of gnutls is under LGPL-2.1. Only installation of gnutls-bin or gnutls-openssl should introduce GPL-3.0.

I'm more like thinking "better to have more mainstays, so you dont fall if you loose one". But  i'm not strict with my opinion. This change can also be done with bbappends.

Are you saying that some glib-networking functionality works when
using gnutls but does not work when using openssl? If so, is it a
known limitation? Or a bug? If a bug, has it been reported upstream?
The commit message should explain those kinds of details.

It completely stopped working with openssl. This happened about two weeks ago, possibly because of the latest openssl update.

On Sun, Apr 10, 2022 at 10:46 PM Markus Volk <f_l_k@...> wrote:

Am 11.04.22 um 06:25 schrieb Andre McCurdy:

On Sun, Apr 10, 2022 at 10:29 AM Markus Volk <f_l_k@...> wrote:

this fixes authentication issues with geary and tls connection

Signed-off-by: Markus Volk <f_l_k@...>
---
meta/recipes-core/glib-networking/glib-networking_2.72.0.bb | 2 +-
meta/recipes-support/gnutls/gnutls_3.7.4.bb | 2 +-
meta/recipes-support/p11-kit/p11-kit_0.24.1.bb | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb b/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
index d578f17aa5..73827b0a85 100644
--- a/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.72.0.bb
@@ -11,7 +11,7 @@ DEPENDS = "glib-2.0"

SRC_URI[archive.sha256sum] = "100aaebb369285041de52da422b6b716789d5e4d7549a3a71ba587b932e0823b"

-PACKAGECONFIG ??= "openssl ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"
+PACKAGECONFIG ??= "openssl gnutls ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}"

This should either be gnutls or openssl, not both. But aside from
that, gnutls brings (L)GPLv3 issues and therefore should not be
enabled by default.

In a perfect world, I would say you are right. There should not even exist more than one implementation.

In reality, at least for now, geary is broken with openssl.

As for your concern about gplv3 issues. As far as I know, the core of gnutls is under LGPL-2.1. Only installation of gnutls-bin or gnutls-openssl should introduce GPL-3.0.

It's the dependencies that you have to count as well in order to link
with libgnutls in a program.
libgnutls requires nettle which requires GMP. GMP (>= 6.0.0) is dual licensed
LGPLv3+ or GPLv2+. Starting with 3.5.7 libunistring is required too. It also
is dual licensed LGPLv3+ or GPLv2+

I'm more like thinking "better to have more mainstays, so you dont fall if you loose one". But i'm not strict with my opinion. This change can also be done with bbappends.

Are you saying that some glib-networking functionality works when
using gnutls but does not work when using openssl? If so, is it a
known limitation? Or a bug? If a bug, has it been reported upstream?
The commit message should explain those kinds of details.

It completely stopped working with openssl. This happened about two weeks ago, possibly because of the latest openssl update.

I think it would be nice to check with upstream if that's intentional
or perhaps open a bug with upstream to report the problem.