Re: [OE-core] [PATCH 2/2] curl: disable ca-certificates.crt path setting for native build

[Richard Purdie <richard.purdie@linuxfoundation.org>]

On Thu, 2024-04-04 at 16:29 +0300, Mikko Rapeli wrote:
> If linux-yocto-dev is compiled without specific SRCREV, it uses
> AUTOREV which tries to update to latest available commit. This is
> currently failing with these steps:
> 
> $ rm -rf tmp*/work/*/linux-yocto-dev && \
> bitbake -c do_configure mc:machine:linux-yocto-dev ; \
> bitbake -c do_clean mc:machine:linux-yocto-dev
> [...]

> The variable dependency chain for the failure is: fetcher_hashes_dummyfunc[vardepvalue]
> 
> ERROR: Parsing halted due to errors, see error messages above
> 
> Summary: There were 6 WARNING messages.
> Summary: There were 2 ERROR messages, returning a non-zero exit code.
> 
> This state is not recoverable with bitbake calls. All of them fail from now on.
> "rm -rf tmp/work/*/linux-yocto-dev" recovers the situation
> and bitbake commands work again.
> 
> Root cause is curl-native, dependency of git-native, which
> has --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt
> which for native build target is wrong and points to curl-native build
> directory path
> /home/builder/src/base/build/tmp_poky/work/x86_64-linux/curl-native/8.6.0/recipe-sysroot-native/etc/ssl/certs/ca-certificates.crt
> 
> Since git is a build time host package dependency listed in
> https://docs.yoctoproject.org/dev/singleindex.html#build-host-packages
> then its dependencies like curl and ca-certificates are too, it should
> be safe for curl-native to use the default host ca-certificates path
> instead of the one in recipe specific sysroots which would need to be set with complicated
> environment variables. Set non-default ca-certificates path only for
> target and nativesdk builds.
> 
> Reported-by: Mathieu Poirier <mathieu.poirier@linaro.org>
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
>  meta/recipes-support/curl/curl_8.6.0.bb | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-support/curl/curl_8.6.0.bb b/meta/recipes-support/curl/curl_8.6.0.bb
> index 49ba0cb4a7..da5571ca14 100644
> --- a/meta/recipes-support/curl/curl_8.6.0.bb
> +++ b/meta/recipes-support/curl/curl_8.6.0.bb
> @@ -73,11 +73,16 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
>  EXTRA_OECONF = " \
>      --disable-libcurl-option \
>      --disable-ntlm-wb \
> -    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
>      --without-libpsl \
>      --enable-optimize \
>      ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \
>  "
> +EXTRA_OECONF:class-target = " \
> +    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
> +"
> +EXTRA_OECONF:class-nativesdk = " \
> +    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
> +"
>  
>  fix_absolute_paths () {
>  	# cleanup buildpaths from curl-config

This change is fraught with danger :(.

I have a feeling we've gone around in circles as in some cases you
don't have the ca-certs on the host, or they're in unusual paths so the
previous conclusion was we should always have them present in the
sysroot if curl-native is being used. Yes, that does mean we have to
set the environment correctly to relocate curl's paths appropriately.

Certainly at this point in the release cycle I'm very nervous about
changing this around.

Cheers,

Richard