[PATCH v2 00/14] OpenSBI Kconfig Support
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Tue Jul 19 02:27:20 PDT 2022
On 7/19/22 11:05, Anup Patel wrote:
> On Tue, Jul 19, 2022 at 1:11 PM Andreas Schwab <schwab at suse.de> wrote:
>>
>> On Jul 19 2022, Heinrich Schuchardt wrote:
>>
>>> Ubuntu provides OpenSBI as a package. So it is package maintainers not
>>> users that are concerned. kconfig-frontends currently is in the Universe
>>> repository (community supported). This would have to change since OpenSBI
>>> is in the main repository (Canonical supported). Putting software based on
>>> a a dead project into main is not preferred.
>>
>> kconfig-frontends is not available on openSUSE Factory either.
>
> Fair enough. We should use something else.
>
> Kconfiglib seems to be a good option except the issues pointed by Heinrich:
> 1) Python pip is not recommended security wise
> 2) The LICENSE of Kconfiglib needs to be compatible with BSD distros
Bugs in kconfiglib are not fixed in a timely manner. See
https://github.com/ulfalizer/Kconfiglib/issues/105
The last commit was in Jan 2020. So another dead project.
Best regards
Heinrich
>
> The Kconfiglib LICENSE is definitely not GPL and seems compatible
> with BSD-2-clause and MIT licenses.
> (Refer, https://github.com/ulfalizer/Kconfiglib/blob/master/LICENSE.txt)
>
> To address security concerns, we can do one of the following:
> A) Include Kconfiglib source under scripts/ directory.
> B) Recommend that OpenSBI users, install Kconfiglib as distro
> package instead of python-pip3 installer (e.g. python3-kconfiglib
> package available on Ubuntu)
>
> IMO, the option A mentioned above has a maintenance burden and
> if possible we should avoid it.
>
> Regards,
> Anup
>
>
>
>
>>
>> --
>> Andreas Schwab, SUSE Labs, schwab at suse.de
>> GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
>> "And now for something completely different."
More information about the opensbi
mailing list