From: Patrick Ohly <patrick.ohly@intel.com>
To: Otavio Salvador <otavio.salvador@ossystems.com.br>
Cc: Jussi Kukkonen <jussi.kukkonen@intel.com>,
Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Subject: Re: native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)
Date: Tue, 21 Nov 2017 13:21:31 +0100 [thread overview]
Message-ID: <1511266891.5979.56.camel@intel.com> (raw)
In-Reply-To: <CAP9ODKqxbnkpimHmdoYEax6Njmxfcf9KVJazzvpgn=QzRWPc4w@mail.gmail.com>
On Tue, 2017-11-21 at 10:06 -0200, Otavio Salvador wrote:
> On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly <patrick.ohly@intel.com
> > wrote:
> > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
> > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883
> > open
> > about some aspect of this, but it doesn't actually address the
> > underlying question about what the right behavior should be. It's
> > based
> > on the assumption that libcurl-native should always use ca-
> > certificates-native.
> >
> > Thoughts anyone?
>
> I agree it should use ca-certificates-native for all native; it
> allows for self-signed internal certificates to be added for internal
> development.
But that's not what bitbake itself uses. Are you saying that bitbake
fetchers etc. should also use whatever certificates are configured for
ca-certificates-native? That leads to a chicken-and-egg problem.
A solution where custom certificates need to be configured in two
different places (system for bitbake, ca-certificates-native for some
other tools) sounds sub-optimal to me.
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
next prev parent reply other threads:[~2017-11-21 12:21 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-09 19:38 [PATCH 0/3] Fix cve-check (for recipe sysroots) Jussi Kukkonen
2017-02-09 19:38 ` [PATCH 1/3] cve-check.bbclass: Fix dependencies Jussi Kukkonen
2017-02-09 19:38 ` [PATCH 2/3] cve-check-tool: Fixes for recipe sysroots Jussi Kukkonen
2017-02-09 19:38 ` [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot Jussi Kukkonen
2017-11-21 8:04 ` native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot) Patrick Ohly
2017-11-21 12:06 ` Otavio Salvador
2017-11-21 12:21 ` Patrick Ohly [this message]
2017-11-21 12:52 ` Otavio Salvador
2017-02-09 19:59 ` ✗ patchtest: failure for Fix cve-check (for recipe sysroots) Patchwork
2017-02-09 21:41 ` Leonardo Sandoval
2017-02-10 11:55 ` [PATCH 0/3] " Alexander Kanavin
2017-02-10 13:04 ` Burton, Ross
2017-02-10 13:11 ` Alexander Kanavin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1511266891.5979.56.camel@intel.com \
--to=patrick.ohly@intel.com \
--cc=jussi.kukkonen@intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=otavio.salvador@ossystems.com.br \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.