[OE-core][PATCH v2] environment.d-openssl.sh: fix unbound variable with 'set -u'

[OE-core][PATCH v2] environment.d-openssl.sh: fix unbound variable with 'set -u'

[haixiao.yan.cn]

From: Haixiao Yan <haixiao.yan.cn@windriver.com>

When Bash runs with 'set -u' (nounset), accessing an unset variable
directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable"
error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR
is never triggered and the script aborts.

The current code assumes these variables may be unset or empty, but does
not guard against 'set -u'. This breaks builds in stricter shell
environments or when users explicitly enable 'set -u'.

Fix this by using parameter expansion with a default value, e.g.
"${SSL_CERT_FILE:-}", so that unset variables are treated as empty
strings. This preserves the intended logic (respect host env first, then
CAFILE/CAPATH, then buildtools defaults) and makes the script robust
under 'set -u'.

Note: environment.d-curl.sh, environment.d-python3-requests.sh,
and environment.d-git.sh have the same issue and should be fixed
similarly.

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
 .../openssl/files/environment.d-openssl.sh             | 10 ++++++----
 meta/recipes-devtools/git/git/environment.d-git.sh     | 10 ++++++----
 .../python3-requests/environment.d-python3-requests.sh |  6 ++++--
 meta/recipes-support/curl/curl/environment.d-curl.sh   | 10 ++++++----
 4 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index c635be8acab3..292ec38ff721 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1,19 +1,21 @@
+set -eu
+
 export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
 export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
 export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
 
 # Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
 # CAFILE/CAPATH is auto-deteced when source buildtools
-if [ -z "$SSL_CERT_FILE" ]; then
-   if [ -n "$CAFILE" ];then
+if [ -z "${SSL_CERT_FILE:-}" ]; then
+   if [ -n "${CAFILE:-}" ];then
        export SSL_CERT_FILE="$CAFILE"
    elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
        export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
    fi
 fi
 
-if [ -z "$SSL_CERT_DIR" ]; then
-   if [ -n "$CAPATH" ];then
+if [ -z "${SSL_CERT_DIR:-}" ]; then
+   if [ -n "${CAPATH:-}" ];then
        export SSL_CERT_DIR="$CAPATH"
    elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
        export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
diff --git a/meta/recipes-devtools/git/git/environment.d-git.sh b/meta/recipes-devtools/git/git/environment.d-git.sh
index 9c7b5a92512a..1b7395b15aca 100644
--- a/meta/recipes-devtools/git/git/environment.d-git.sh
+++ b/meta/recipes-devtools/git/git/environment.d-git.sh
@@ -1,15 +1,17 @@
+set -eu
+
 # Respect host env GIT_SSL_CAINFO/GIT_SSL_CAPATH first, then auto-detected host cert, then cert in buildtools
 # CAFILE/CAPATH is auto-deteced when source buildtools
-if [ -z "$GIT_SSL_CAINFO" ]; then
-	if [ -n "$CAFILE" ];then
+if [ -z "${GIT_SSL_CAINFO:-}" ]; then
+	if [ -n "${CAFILE:-}" ];then
 		export GIT_SSL_CAINFO="$CAFILE"
 	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
 		export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
 	fi
 fi
 
-if [ -z "$GIT_SSL_CAPATH" ]; then
-	if [ -n "$CAPATH" ];then
+if [ -z "${GIT_SSL_CAPATH:-}" ]; then
+	if [ -n "${CAPATH:-}" ];then
 		export GIT_SSL_CAPATH="$CAPATH"
 	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
 		export GIT_SSL_CAPATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
diff --git a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
index 492177a9c377..f86027aadfa5 100644
--- a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
+++ b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh
@@ -1,7 +1,9 @@
+set -eu
+
 # Respect host env REQUESTS_CA_BUNDLE first, then auto-detected host cert, then cert in buildtools
 # CAFILE/CAPATH is auto-deteced when source buildtools
-if [ -z "$REQUESTS_CA_BUNDLE" ]; then
-	if [ -n "$CAFILE" ];then
+if [ -z "${REQUESTS_CA_BUNDLE:-}" ]; then
+	if [ -n "${CAFILE:-}" ];then
 		export REQUESTS_CA_BUNDLE="$CAFILE"
 	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
 		export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
diff --git a/meta/recipes-support/curl/curl/environment.d-curl.sh b/meta/recipes-support/curl/curl/environment.d-curl.sh
index 7c2971b3dad1..02329ba8426a 100644
--- a/meta/recipes-support/curl/curl/environment.d-curl.sh
+++ b/meta/recipes-support/curl/curl/environment.d-curl.sh
@@ -1,15 +1,17 @@
+set -eu
+
 # Respect host env CURL_CA_BUNDLE/CURL_CA_PATH first, then auto-detected host cert, then cert in buildtools
 # CAFILE/CAPATH is auto-deteced when source buildtools
-if [ -z "$CURL_CA_PATH" ]; then
-	if [ -n "$CAFILE" ];then
+if [ -z "${CURL_CA_PATH:-}" ]; then
+	if [ -n "${CAFILE:-}" ];then
 		export CURL_CA_BUNDLE="$CAFILE"
 	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
 		export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt"
 	fi
 fi
 
-if [ -z "$CURL_CA_PATH" ]; then
-	if [ -n "$CAPATH" ];then
+if [ -z "${CURL_CA_PATH:-}" ]; then
+	if [ -n "${CAPATH:-}" ];then
 		export CURL_CA_PATH="$CAPATH"
 	elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
 		export CURL_CA_PATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"
-- 
2.34.1

Re: [OE-core][PATCH v2] environment.d-openssl.sh: fix unbound variable with 'set -u'

[Mathieu Dubois-Briand]

On Fri Sep 5, 2025 at 2:34 PM CEST, Haixiao (CN) via lists.openembedded.org Yan wrote:
> From: Haixiao Yan <haixiao.yan.cn@windriver.com>
>
> When Bash runs with 'set -u' (nounset), accessing an unset variable
> directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable"
> error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR
> is never triggered and the script aborts.
>
> The current code assumes these variables may be unset or empty, but does
> not guard against 'set -u'. This breaks builds in stricter shell
> environments or when users explicitly enable 'set -u'.
>
> Fix this by using parameter expansion with a default value, e.g.
> "${SSL_CERT_FILE:-}", so that unset variables are treated as empty
> strings. This preserves the intended logic (respect host env first, then
> CAFILE/CAPATH, then buildtools defaults) and makes the script robust
> under 'set -u'.
>
> Note: environment.d-curl.sh, environment.d-python3-requests.sh,
> and environment.d-git.sh have the same issue and should be fixed
> similarly.
>
> Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
> ---

Hi Haixiao,

Thanks for your patch.

It looks like this is leading to failed SDK installations in some cases,
as some other variables are undefined:

ERROR: core-image-sato-1.0-r0 do_testsdkext: Couldn't install the extensible SDK:
Poky (Yocto Project Reference Distro) Extensible SDK installer version 5.2.99+snapshot
======================================================================================
You are about to install the SDK to "/srv/pokybuild/yocto-worker/qemuarm64-armhost/build/build/tmp/work/qemuarm64-poky-linux/core-image-sato/1.0/testsdkext". Proceed [Y/n]? Y
Extracting SDK................................................done
Setting it up...
Extracting buildtools...
Preparing build system...


Contents of preparing_build_system.log:
sh: 17: /srv/pokybuild/yocto-worker/qemuarm64-armhost/build/build/tmp/work/qemuarm64-poky-linux/core-image-sato/1.0/testsdkext/layers/build/oe-init-build-env: BASH_SOURCE: parameter not set

https://autobuilder.yoctoproject.org/valkyrie/#/builders/8/builds/2375
https://autobuilder.yoctoproject.org/valkyrie/#/builders/36/builds/2346
https://autobuilder.yoctoproject.org/valkyrie/#/builders/80/builds/2197


SDK testing environment: x86_64-pokysdk-linux
Traceback (most recent call last):
  File "/srv/pokybuild/yocto-worker/buildtools/build/meta/lib/oeqa/buildtools/cases/build.py", line 21, in test_libc
    self._run('. %s/oe-init-build-env %s' % (corebase, testdir))
  File "/srv/pokybuild/yocto-worker/buildtools/build/meta/lib/oeqa/sdk/case.py", line 17, in _run
    return subprocess.check_output(". %s > /dev/null; %s;" % \
  File "/usr/lib64/python3.9/subprocess.py", line 424, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
  File "/usr/lib64/python3.9/subprocess.py", line 528, in run
    raise CalledProcessError(retcode, process.args,
oeqa.utils.subprocesstweak.OETestCalledProcessError: Command '. /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/buildtools-tarball/1.0/testimage-sdk/environment-setup-x86_64-pokysdk-linux > /dev/null; . /srv/pokybuild/yocto-worker/buildtools/build/oe-init-build-env /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/buildtools-tarball/1.0/testimage-sdk/bitbake-build-vbmlrryg;' returned non-zero exit status 1.
Standard Output: /srv/pokybuild/yocto-worker/buildtools/build/oe-init-build-env: line 29: BBSERVER: unbound variable

https://autobuilder.yoctoproject.org/valkyrie/#/builders/43/builds/2371


Can you fix these failures please?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core][PATCH v2] environment.d-openssl.sh: fix unbound variable with 'set -u'

[Haixiao Yan]

On 2025/9/9 22:16, Mathieu Dubois-Briand wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Fri Sep 5, 2025 at 2:34 PM CEST, Haixiao (CN) via lists.openembedded.org Yan wrote:
>> From: Haixiao Yan <haixiao.yan.cn@windriver.com>
>>
>> When Bash runs with 'set -u' (nounset), accessing an unset variable
>> directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable"
>> error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR
>> is never triggered and the script aborts.
>>
>> The current code assumes these variables may be unset or empty, but does
>> not guard against 'set -u'. This breaks builds in stricter shell
>> environments or when users explicitly enable 'set -u'.
>>
>> Fix this by using parameter expansion with a default value, e.g.
>> "${SSL_CERT_FILE:-}", so that unset variables are treated as empty
>> strings. This preserves the intended logic (respect host env first, then
>> CAFILE/CAPATH, then buildtools defaults) and makes the script robust
>> under 'set -u'.
>>
>> Note: environment.d-curl.sh, environment.d-python3-requests.sh,
>> and environment.d-git.sh have the same issue and should be fixed
>> similarly.
>>
>> Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
>> ---
> Hi Haixiao,
>
> Thanks for your patch.
>
> It looks like this is leading to failed SDK installations in some cases,
> as some other variables are undefined:
>
> ERROR: core-image-sato-1.0-r0 do_testsdkext: Couldn't install the extensible SDK:
> Poky (Yocto Project Reference Distro) Extensible SDK installer version 5.2.99+snapshot
> ======================================================================================
> You are about to install the SDK to "/srv/pokybuild/yocto-worker/qemuarm64-armhost/build/build/tmp/work/qemuarm64-poky-linux/core-image-sato/1.0/testsdkext". Proceed [Y/n]? Y
> Extracting SDK................................................done
> Setting it up...
> Extracting buildtools...
> Preparing build system...
>
>
> Contents of preparing_build_system.log:
> sh: 17: /srv/pokybuild/yocto-worker/qemuarm64-armhost/build/build/tmp/work/qemuarm64-poky-linux/core-image-sato/1.0/testsdkext/layers/build/oe-init-build-env: BASH_SOURCE: parameter not set
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/8/builds/2375
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/36/builds/2346
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/80/builds/2197
>
>
> SDK testing environment: x86_64-pokysdk-linux
> Traceback (most recent call last):
>    File "/srv/pokybuild/yocto-worker/buildtools/build/meta/lib/oeqa/buildtools/cases/build.py", line 21, in test_libc
>      self._run('. %s/oe-init-build-env %s' % (corebase, testdir))
>    File "/srv/pokybuild/yocto-worker/buildtools/build/meta/lib/oeqa/sdk/case.py", line 17, in _run
>      return subprocess.check_output(". %s > /dev/null; %s;" % \
>    File "/usr/lib64/python3.9/subprocess.py", line 424, in check_output
>      return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
>    File "/usr/lib64/python3.9/subprocess.py", line 528, in run
>      raise CalledProcessError(retcode, process.args,
> oeqa.utils.subprocesstweak.OETestCalledProcessError: Command '. /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/buildtools-tarball/1.0/testimage-sdk/environment-setup-x86_64-pokysdk-linux > /dev/null; . /srv/pokybuild/yocto-worker/buildtools/build/oe-init-build-env /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-nativesdk-pokysdk-linux/buildtools-tarball/1.0/testimage-sdk/bitbake-build-vbmlrryg;' returned non-zero exit status 1.
> Standard Output: /srv/pokybuild/yocto-worker/buildtools/build/oe-init-build-env: line 29: BBSERVER: unbound variable
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/43/builds/2371
>
>
> Can you fix these failures please?

Remove 'set -eu' to avoid propagating strict mode to other environment.d 
scripts.

Sent v3.

Thanks,

Haixiao

>
> Thanks,
> Mathieu
>
> --
> Mathieu Dubois-Briand, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
>

Re: [OE-core][PATCH v2] environment.d-openssl.sh: fix unbound variable with 'set -u'

[Andreas Helbech Kleist]

Hi Haixiao,

On Wed, 2025-09-10 at 16:52 +0800, Yan, Haixiao (CN) via
lists.openembedded.org wrote:
> 
> On 2025/9/9 22:16, Mathieu Dubois-Briand wrote:
> > CAUTION: This email comes from a non Wind River email account!
> > Do not click links or open attachments unless you recognize the
> > sender and know the content is safe.
> > 
> > On Fri Sep 5, 2025 at 2:34 PM CEST, Haixiao (CN) via
> > lists.openembedded.org Yan wrote:
> > > From: Haixiao Yan <haixiao.yan.cn@windriver.com>
> > > 
> > > When Bash runs with 'set -u' (nounset), accessing an unset
> > > variable
> > > directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound
> > > variable"
> > > error. As a result, the fallback logic to set
> > > SSL_CERT_FILE/SSL_CERT_DIR
> > > is never triggered and the script aborts.
> > > 
> > > The current code assumes these variables may be unset or empty,
> > > but does
> > > not guard against 'set -u'. This breaks builds in stricter shell
> > > environments or when users explicitly enable 'set -u'.

Thank you for working on this. We just ran into this issue after a
small upgrade in the scarthgap branch, so I'm hoping this will also be
backported to scarthgap.

> > > 
> > > Fix this by using parameter expansion with a default value, e.g.
> > > "${SSL_CERT_FILE:-}", so that unset variables are treated as
> > > empty
> > > strings. This preserves the intended logic (respect host env
> > > first, then
> > > CAFILE/CAPATH, then buildtools defaults) and makes the script
> > > robust
> > > under 'set -u'.
> > > 
> > > Note: environment.d-curl.sh, environment.d-python3-requests.sh,
> > > and environment.d-git.sh have the same issue and should be fixed
> > > similarly.

The patch title doesn't mention these changes.

I don't know if changing the title or splitting the patches would be
the preferred approach?


> > > 
> > > Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
> > > ---
> > Hi Haixiao,
> > 
> > Thanks for your patch.
> > 
> > It looks like this is leading to failed SDK installations in some
> > cases,
> > as some other variables are undefined:
> > 
> > ERROR: core-image-sato-1.0-r0 do_testsdkext: Couldn't install the
> > extensible SDK:
> > Poky (Yocto Project Reference Distro) Extensible SDK installer
> > version 5.2.99+snapshot
> > ===================================================================
> > ===================
> > You are about to install the SDK to "/srv/pokybuild/yocto-
> > worker/qemuarm64-armhost/build/build/tmp/work/qemuarm64-poky-
> > linux/core-image-sato/1.0/testsdkext". Proceed [Y/n]? Y
> > Extracting SDK................................................done
> > Setting it up...
> > Extracting buildtools...
> > Preparing build system...
> > 
> > 
> > Contents of preparing_build_system.log:
> > sh: 17: /srv/pokybuild/yocto-worker/qemuarm64-
> > armhost/build/build/tmp/work/qemuarm64-poky-linux/core-image-
> > sato/1.0/testsdkext/layers/build/oe-init-build-env: BASH_SOURCE:
> > parameter not set
> > 
> > https://autobuilder.yoctoproject.org/valkyrie/#/builders/8/builds/2375
> > https://autobuilder.yoctoproject.org/valkyrie/#/builders/36/builds/2346
> > https://autobuilder.yoctoproject.org/valkyrie/#/builders/80/builds/2197
> > 
> > 
> > SDK testing environment: x86_64-pokysdk-linux
> > Traceback (most recent call last):
> >    File "/srv/pokybuild/yocto-
> > worker/buildtools/build/meta/lib/oeqa/buildtools/cases/build.py",
> > line 21, in test_libc
> >      self._run('. %s/oe-init-build-env %s' % (corebase, testdir))
> >    File "/srv/pokybuild/yocto-
> > worker/buildtools/build/meta/lib/oeqa/sdk/case.py", line 17, in
> > _run
> >      return subprocess.check_output(". %s > /dev/null; %s;" % \
> >    File "/usr/lib64/python3.9/subprocess.py", line 424, in
> > check_output
> >      return run(*popenargs, stdout=PIPE, timeout=timeout,
> > check=True,
> >    File "/usr/lib64/python3.9/subprocess.py", line 528, in run
> >      raise CalledProcessError(retcode, process.args,
> > oeqa.utils.subprocesstweak.OETestCalledProcessError: Command '.
> > /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-
> > nativesdk-pokysdk-linux/buildtools-tarball/1.0/testimage-
> > sdk/environment-setup-x86_64-pokysdk-linux > /dev/null; .
> > /srv/pokybuild/yocto-worker/buildtools/build/oe-init-build-env
> > /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-
> > nativesdk-pokysdk-linux/buildtools-tarball/1.0/testimage-
> > sdk/bitbake-build-vbmlrryg;' returned non-zero exit status 1.
> > Standard Output: /srv/pokybuild/yocto-worker/buildtools/build/oe-
> > init-build-env: line 29: BBSERVER: unbound variable
> > 
> > https://autobuilder.yoctoproject.org/valkyrie/#/builders/43/builds/2371
> > 
> > 
> > Can you fix these failures please?
> 
> Remove 'set -eu' to avoid propagating strict mode to other
> environment.d 
> scripts.

Instead of using 'set -eu' in each script, which as can be seen above
doesn't work, I'd suggest adding a test case that sources the
environment-setup-* from a shell with 'set -eu' called.


> 
> Sent v3.
> 
> Thanks,
> 
> Haixiao
> 
> > 
> > Thanks,
> > Mathieu
> > 
> > --
> > Mathieu Dubois-Briand, Bootlin
> > Embedded Linux and Kernel engineering
> > https://bootlin.com
> > 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#223151):
> https://lists.openembedded.org/g/openembedded-core/message/223151
> Mute This Topic: https://lists.openembedded.org/mt/115081014/7501392
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> andreaskleist@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [OE-core][PATCH v2] environment.d-openssl.sh: fix unbound variable with 'set -u'

[Yan, Haixiao (CN)]

On 9/11/2025 9:28 PM, Andreas Helbech Kleist wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hi Haixiao,
>
> On Wed, 2025-09-10 at 16:52 +0800, Yan, Haixiao (CN) via
> lists.openembedded.org wrote:
>> On 2025/9/9 22:16, Mathieu Dubois-Briand wrote:
>>> CAUTION: This email comes from a non Wind River email account!
>>> Do not click links or open attachments unless you recognize the
>>> sender and know the content is safe.
>>>
>>> On Fri Sep 5, 2025 at 2:34 PM CEST, Haixiao (CN) via
>>> lists.openembedded.org Yan wrote:
>>>> From: Haixiao Yan <haixiao.yan.cn@windriver.com>
>>>>
>>>> When Bash runs with 'set -u' (nounset), accessing an unset
>>>> variable
>>>> directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound
>>>> variable"
>>>> error. As a result, the fallback logic to set
>>>> SSL_CERT_FILE/SSL_CERT_DIR
>>>> is never triggered and the script aborts.
>>>>
>>>> The current code assumes these variables may be unset or empty,
>>>> but does
>>>> not guard against 'set -u'. This breaks builds in stricter shell
>>>> environments or when users explicitly enable 'set -u'.
> Thank you for working on this. We just ran into this issue after a
> small upgrade in the scarthgap branch, so I'm hoping this will also be
> backported to scarthgap.
Yes, I will handle this.
>>>> Fix this by using parameter expansion with a default value, e.g.
>>>> "${SSL_CERT_FILE:-}", so that unset variables are treated as
>>>> empty
>>>> strings. This preserves the intended logic (respect host env
>>>> first, then
>>>> CAFILE/CAPATH, then buildtools defaults) and makes the script
>>>> robust
>>>> under 'set -u'.
>>>>
>>>> Note: environment.d-curl.sh, environment.d-python3-requests.sh,
>>>> and environment.d-git.sh have the same issue and should be fixed
>>>> similarly.
> The patch title doesn't mention these changes.
>
> I don't know if changing the title or splitting the patches would be
> the preferred approach?
>
Change the title and sent v4.

Thanks,

Haixiao

>>>> Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
>>>> ---
>>> Hi Haixiao,
>>>
>>> Thanks for your patch.
>>>
>>> It looks like this is leading to failed SDK installations in some
>>> cases,
>>> as some other variables are undefined:
>>>
>>> ERROR: core-image-sato-1.0-r0 do_testsdkext: Couldn't install the
>>> extensible SDK:
>>> Poky (Yocto Project Reference Distro) Extensible SDK installer
>>> version 5.2.99+snapshot
>>> ===================================================================
>>> ===================
>>> You are about to install the SDK to "/srv/pokybuild/yocto-
>>> worker/qemuarm64-armhost/build/build/tmp/work/qemuarm64-poky-
>>> linux/core-image-sato/1.0/testsdkext". Proceed [Y/n]? Y
>>> Extracting SDK................................................done
>>> Setting it up...
>>> Extracting buildtools...
>>> Preparing build system...
>>>
>>>
>>> Contents of preparing_build_system.log:
>>> sh: 17: /srv/pokybuild/yocto-worker/qemuarm64-
>>> armhost/build/build/tmp/work/qemuarm64-poky-linux/core-image-
>>> sato/1.0/testsdkext/layers/build/oe-init-build-env: BASH_SOURCE:
>>> parameter not set
>>>
>>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/8/builds/2375
>>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/36/builds/2346
>>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/80/builds/2197
>>>
>>>
>>> SDK testing environment: x86_64-pokysdk-linux
>>> Traceback (most recent call last):
>>>     File "/srv/pokybuild/yocto-
>>> worker/buildtools/build/meta/lib/oeqa/buildtools/cases/build.py",
>>> line 21, in test_libc
>>>       self._run('. %s/oe-init-build-env %s' % (corebase, testdir))
>>>     File "/srv/pokybuild/yocto-
>>> worker/buildtools/build/meta/lib/oeqa/sdk/case.py", line 17, in
>>> _run
>>>       return subprocess.check_output(". %s > /dev/null; %s;" % \
>>>     File "/usr/lib64/python3.9/subprocess.py", line 424, in
>>> check_output
>>>       return run(*popenargs, stdout=PIPE, timeout=timeout,
>>> check=True,
>>>     File "/usr/lib64/python3.9/subprocess.py", line 528, in run
>>>       raise CalledProcessError(retcode, process.args,
>>> oeqa.utils.subprocesstweak.OETestCalledProcessError: Command '.
>>> /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-
>>> nativesdk-pokysdk-linux/buildtools-tarball/1.0/testimage-
>>> sdk/environment-setup-x86_64-pokysdk-linux > /dev/null; .
>>> /srv/pokybuild/yocto-worker/buildtools/build/oe-init-build-env
>>> /srv/pokybuild/yocto-worker/buildtools/build/build/tmp/work/x86_64-
>>> nativesdk-pokysdk-linux/buildtools-tarball/1.0/testimage-
>>> sdk/bitbake-build-vbmlrryg;' returned non-zero exit status 1.
>>> Standard Output: /srv/pokybuild/yocto-worker/buildtools/build/oe-
>>> init-build-env: line 29: BBSERVER: unbound variable
>>>
>>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/43/builds/2371
>>>
>>>
>>> Can you fix these failures please?
>> Remove 'set -eu' to avoid propagating strict mode to other
>> environment.d
>> scripts.
> Instead of using 'set -eu' in each script, which as can be seen above
> doesn't work, I'd suggest adding a test case that sources the
> environment-setup-* from a shell with 'set -eu' called.
>
>
>> Sent v3.
>>
>> Thanks,
>>
>> Haixiao
>>
>>> Thanks,
>>> Mathieu
>>>
>>> --
>>> Mathieu Dubois-Briand, Bootlin
>>> Embedded Linux and Kernel engineering
>>> https://bootlin.com
>>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#223151):
>> https://lists.openembedded.org/g/openembedded-core/message/223151
>> Mute This Topic: https://lists.openembedded.org/mt/115081014/7501392
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe:
>> https://lists.openembedded.org/g/openembedded-core/unsub [
>> andreaskleist@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>