Re: [OE-core] [PATCH 2/2] curl: disable ca-certificates.crt path setting for native build

[Mikko Rapeli <mikko.rapeli@linaro.org>]

Hi,

On Thu, Apr 04, 2024 at 03:13:08PM +0100, Richard Purdie wrote:
> On Thu, 2024-04-04 at 16:29 +0300, Mikko Rapeli wrote:
> > If linux-yocto-dev is compiled without specific SRCREV, it uses
> > AUTOREV which tries to update to latest available commit. This is
> > currently failing with these steps:
> > 
> > $ rm -rf tmp*/work/*/linux-yocto-dev && \
> > bitbake -c do_configure mc:machine:linux-yocto-dev ; \
> > bitbake -c do_clean mc:machine:linux-yocto-dev
> > [...]
> 
> > The variable dependency chain for the failure is: fetcher_hashes_dummyfunc[vardepvalue]
> > 
> > ERROR: Parsing halted due to errors, see error messages above
> > 
> > Summary: There were 6 WARNING messages.
> > Summary: There were 2 ERROR messages, returning a non-zero exit code.
> > 
> > This state is not recoverable with bitbake calls. All of them fail from now on.
> > "rm -rf tmp/work/*/linux-yocto-dev" recovers the situation
> > and bitbake commands work again.
> > 
> > Root cause is curl-native, dependency of git-native, which
> > has --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt
> > which for native build target is wrong and points to curl-native build
> > directory path
> > /home/builder/src/base/build/tmp_poky/work/x86_64-linux/curl-native/8.6.0/recipe-sysroot-native/etc/ssl/certs/ca-certificates.crt
> > 
> > Since git is a build time host package dependency listed in
> > https://docs.yoctoproject.org/dev/singleindex.html#build-host-packages
> > then its dependencies like curl and ca-certificates are too, it should
> > be safe for curl-native to use the default host ca-certificates path
> > instead of the one in recipe specific sysroots which would need to be set with complicated
> > environment variables. Set non-default ca-certificates path only for
> > target and nativesdk builds.
> > 
> > Reported-by: Mathieu Poirier <mathieu.poirier@linaro.org>
> > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > ---
> > �meta/recipes-support/curl/curl_8.6.0.bb | 7 ++++++-
> > �1 file changed, 6 insertions(+), 1 deletion(-)
> > 
> > diff --git a/meta/recipes-support/curl/curl_8.6.0.bb b/meta/recipes-support/curl/curl_8.6.0.bb
> > index 49ba0cb4a7..da5571ca14 100644
> > --- a/meta/recipes-support/curl/curl_8.6.0.bb
> > +++ b/meta/recipes-support/curl/curl_8.6.0.bb
> > @@ -73,11 +73,16 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
> > �EXTRA_OECONF = " \
> > ���� --disable-libcurl-option \
> > ���� --disable-ntlm-wb \
> > -��� --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
> > ���� --without-libpsl \
> > ���� --enable-optimize \
> > ���� ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \
> > �"
> > +EXTRA_OECONF:class-target = " \
> > +��� --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
> > +"
> > +EXTRA_OECONF:class-nativesdk = " \
> > +��� --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
> > +"
> > �
> > �fix_absolute_paths () {
> > �	# cleanup buildpaths from curl-config
> 
> This change is fraught with danger :(.
> 
> I have a feeling we've gone around in circles as in some cases you
> don't have the ca-certs on the host, or they're in unusual paths so the
> previous conclusion was we should always have them present in the
> sysroot if curl-native is being used. Yes, that does mean we have to
> set the environment correctly to relocate curl's paths appropriately.
> 
> Certainly at this point in the release cycle I'm very nervous about
> changing this around.

No worries, 421083c46c97bf758496b8c58402aea5d74aa097 already on master fixes
the issue. We're lagging few weeks behind master branch but trying
to catch up.

Cheers,

-Mikko