From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Andrej Valek <andrej.valek@siemens.com>,
Randy MacLeod <randy.macleod@windriver.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
Armin Kuster <akuster808@gmail.com>
Subject: Re: [PATCH] ca-certificates: prevent executing update-ca-certificates from host system
Date: Wed, 23 Aug 2017 13:44:45 +0100 [thread overview]
Message-ID: <1503492285.32591.152.camel@linuxfoundation.org> (raw)
In-Reply-To: <1abbf9f3-8f0e-3fba-26f5-114f049cb977@siemens.com>
On Wed, 2017-08-23 at 14:07 +0200, Andrej Valek wrote:
> I have found out that even master with HOSTTOOLS does not fix my
> problem.
> We use ASSUME_PROVIDED for ca-certificates-native due to corporate
> environment CAs.
> Since nativesdk-ca-certificates depends on ca-certificates-native
> whichis not built, so it could not be found. Unfortunately adding
> update-ca-certificates to HOSTTOOLS is not working, since build user
> does not have permissions to modify system CAs and also is in
> /usr/sbin/ which is not in usual system path.
>
> Therefore I think that this patch applies for master branch, too.
> Possible improvement would be also removing ca-certificates-native
> from DEPENDS of class-nativesdk.
>
> Solution of installing corporate CAs within OE recipe does not seem
> to be ideal, because the CAs have short expiration date. So using
> system CAs assures reachability of resources over https.
> We had to do this because svn fetcher uses https without option to
> ignore errors (unlike wget which ignores certificates by default).
Reading this made me realise this is a pretty complex issue. In general
we cannot assume that we can execute nativesdk binaries. Since ca-
certificates is allarch and we're executing an sh script, this is less
of an issue in this very specific case. There is a binary involved,
c_rehash and we do need to make sure there are the right -native
dependencies to get that.
There is a further complication with regard to the paths used, ca-
certificates-native will use one set of paths, nativesdk-ca-
certificates will use a different set and target ca-certificates a
differnt set again.
I suspect you're right and the ca-certificates-native dependency may be
incorrect and the certs installed into sdks may be broken too. If the
native sysroot and target sysroot layouts don't match, that would cause
an additional source of errors.
So some changes in this area does appear to be needed...
Cheers,
Richard
next prev parent reply other threads:[~2017-08-23 12:44 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-17 14:44 [PATCH] ca-certificates: prevent executing update-ca-certificates from host system Andrej Valek
2017-08-17 16:31 ` Richard Purdie
2017-08-18 6:26 ` Andrej Valek
2017-08-18 9:35 ` Richard Purdie
2017-08-18 10:05 ` Andrej Valek
2017-08-18 15:46 ` Randy MacLeod
2017-08-21 6:12 ` Andrej Valek
2017-08-23 12:07 ` Andrej Valek
2017-08-23 12:44 ` Richard Purdie [this message]
2017-08-23 19:00 ` Khem Raj
2017-08-24 10:38 ` Andrej Valek
2017-08-24 14:16 ` Richard Purdie
2017-08-24 14:23 ` Andrej Valek
2017-08-24 14:26 ` Richard Purdie
2017-08-25 6:05 ` Andrej Valek
2017-08-25 8:25 ` Richard Purdie
2017-08-25 12:31 ` Andrej Valek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503492285.32591.152.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=akuster808@gmail.com \
--cc=andrej.valek@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=randy.macleod@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox