* Re: openssl: Do not create /etc/ssl/certs @ 2020-11-03 13:44 nate.karstens 2020-11-03 13:44 ` [OE-core][PATCH] " Nate Karstens 0 siblings, 1 reply; 5+ messages in thread From: nate.karstens @ 2020-11-03 13:44 UTC (permalink / raw) To: openembedded-core See https://lists.openembedded.org/g/openembedded-core/topic/77917492#144026 Tested with core-image-sato build using OpenSSL 1.1.1g. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [OE-core][PATCH] openssl: Do not create /etc/ssl/certs 2020-11-03 13:44 openssl: Do not create /etc/ssl/certs nate.karstens @ 2020-11-03 13:44 ` Nate Karstens 2020-11-03 13:47 ` Nate Karstens 2020-11-03 16:00 ` Richard Purdie 0 siblings, 2 replies; 5+ messages in thread From: Nate Karstens @ 2020-11-03 13:44 UTC (permalink / raw) To: openembedded-core; +Cc: Nate Karstens The openssl package previously created an empty folder for CA certificates at /etc/ssl/certs. Other packages, like ca-certificates, would then populate this folder. Certain systems need more flexibility with how this folder is created and populated (e.g., a symlink is needed). To accommodate this, the openssl recipe no longer creates the empty folder. Instead, the folder will only be created by packages that populate it. Signed-off-by: Nate Karstens <nate.karstens@garmin.com> --- meta/recipes-connectivity/openssl/openssl_1.1.1h.bb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb index eb11fe3960..5723d19dbf 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb @@ -134,14 +134,12 @@ do_install () { # Create SSL structure for packages such as ca-certificates which # contain hard-coded paths to /etc/ssl. Debian does the same. install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ + mv ${D}${libdir}/ssl-1.1/private \ ${D}${libdir}/ssl-1.1/openssl.cnf \ ${D}${sysconfdir}/ssl/ # Although absolute symlinks would be OK for the target, they become # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf } -- 2.28.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH] openssl: Do not create /etc/ssl/certs 2020-11-03 13:44 ` [OE-core][PATCH] " Nate Karstens @ 2020-11-03 13:47 ` Nate Karstens 2020-11-03 16:00 ` Richard Purdie 1 sibling, 0 replies; 5+ messages in thread From: Nate Karstens @ 2020-11-03 13:47 UTC (permalink / raw) To: openembedded-core@lists.openembedded.org My introductory message seems to have been deleted. This was in reply to https://lists.openembedded.org/g/openembedded-core/topic/77917492#144026 and was tested with core-image-sato build using OpenSSL 1.1.1g. Nate -----Original Message----- From: Karstens, Nate <Nate.Karstens@garmin.com> Sent: Tuesday, November 03, 2020 07:44 To: openembedded-core@lists.openembedded.org Cc: Karstens, Nate <Nate.Karstens@garmin.com> Subject: [OE-core][PATCH] openssl: Do not create /etc/ssl/certs The openssl package previously created an empty folder for CA certificates at /etc/ssl/certs. Other packages, like ca-certificates, would then populate this folder. Certain systems need more flexibility with how this folder is created and populated (e.g., a symlink is needed). To accommodate this, the openssl recipe no longer creates the empty folder. Instead, the folder will only be created by packages that populate it. Signed-off-by: Nate Karstens <nate.karstens@garmin.com> --- meta/recipes-connectivity/openssl/openssl_1.1.1h.bb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb index eb11fe3960..5723d19dbf 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb @@ -134,14 +134,12 @@ do_install () { # Create SSL structure for packages such as ca-certificates which # contain hard-coded paths to /etc/ssl. Debian does the same. install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ + mv ${D}${libdir}/ssl-1.1/private \ ${D}${libdir}/ssl-1.1/openssl.cnf \ ${D}${sysconfdir}/ssl/ # Although absolute symlinks would be OK for the target, they become # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf } -- 2.28.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH] openssl: Do not create /etc/ssl/certs 2020-11-03 13:44 ` [OE-core][PATCH] " Nate Karstens 2020-11-03 13:47 ` Nate Karstens @ 2020-11-03 16:00 ` Richard Purdie 2020-11-06 6:55 ` Nate Karstens 1 sibling, 1 reply; 5+ messages in thread From: Richard Purdie @ 2020-11-03 16:00 UTC (permalink / raw) To: nate.karstens, openembedded-core On Tue, 2020-11-03 at 07:44 -0600, Nate Karstens via lists.openembedded.org wrote: > The openssl package previously created an empty folder for > CA certificates at /etc/ssl/certs. Other packages, like > ca-certificates, would then populate this folder. > > Certain systems need more flexibility with how this folder > is created and populated (e.g., a symlink is needed). To > accommodate this, the openssl recipe no longer creates the > empty folder. Instead, the folder will only be created by > packages that populate it. > > Signed-off-by: Nate Karstens <nate.karstens@garmin.com> > --- > meta/recipes-connectivity/openssl/openssl_1.1.1h.bb | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb > index eb11fe3960..5723d19dbf 100644 > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb > @@ -134,14 +134,12 @@ do_install () { > # Create SSL structure for packages such as ca-certificates which > # contain hard-coded paths to /etc/ssl. Debian does the same. > install -d ${D}${sysconfdir}/ssl > - mv ${D}${libdir}/ssl-1.1/certs \ > - ${D}${libdir}/ssl-1.1/private \ > + mv ${D}${libdir}/ssl-1.1/private \ > ${D}${libdir}/ssl-1.1/openssl.cnf \ > ${D}${sysconfdir}/ssl/ > > # Although absolute symlinks would be OK for the target, they become > # invalid if native or nativesdk are relocated from sstate. > - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs > ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private > ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf When you asked about this in the previous email, I questioned whether we still needed the symlink. Did you check into that? I suspect we may need it as openssl itself may reference that path internally? Cheers, Richard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH] openssl: Do not create /etc/ssl/certs 2020-11-03 16:00 ` Richard Purdie @ 2020-11-06 6:55 ` Nate Karstens 0 siblings, 0 replies; 5+ messages in thread From: Nate Karstens @ 2020-11-06 6:55 UTC (permalink / raw) To: Richard Purdie, openembedded-core@lists.openembedded.org Richard, Thanks for your help in looking into this. After looking at it further the OpenSSL code itself is creating the empty certs folder: https://github.com/openssl/openssl/blob/f123043faa15965c34947670ff3d3a7005d6bdb4/Configurations/unix-Makefile.tmpl#L552 As such, we thought it would be unwise to modify the openssl recipe. Instead, we plan to change the conflicting recipe to use a post-installation script. Cheers, Nate -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Richard Purdie Sent: Tuesday, November 03, 2020 10:00 To: Karstens, Nate <Nate.Karstens@garmin.com>; openembedded-core@lists.openembedded.org Subject: Re: [OE-core][PATCH] openssl: Do not create /etc/ssl/certs CAUTION - EXTERNAL EMAIL: Do not click any links or open any attachments unless you trust the sender and know the content is safe. On Tue, 2020-11-03 at 07:44 -0600, Nate Karstens via lists.openembedded.org wrote: > The openssl package previously created an empty folder for CA > certificates at /etc/ssl/certs. Other packages, like ca-certificates, > would then populate this folder. > > Certain systems need more flexibility with how this folder is created > and populated (e.g., a symlink is needed). To accommodate this, the > openssl recipe no longer creates the empty folder. Instead, the folder > will only be created by packages that populate it. > > Signed-off-by: Nate Karstens <nate.karstens@garmin.com> > --- > meta/recipes-connectivity/openssl/openssl_1.1.1h.bb | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb > b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb > index eb11fe3960..5723d19dbf 100644 > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb > @@ -134,14 +134,12 @@ do_install () { > # Create SSL structure for packages such as ca-certificates which > # contain hard-coded paths to /etc/ssl. Debian does the same. > install -d ${D}${sysconfdir}/ssl > - mv ${D}${libdir}/ssl-1.1/certs \ > - ${D}${libdir}/ssl-1.1/private \ > + mv ${D}${libdir}/ssl-1.1/private \ > ${D}${libdir}/ssl-1.1/openssl.cnf \ > ${D}${sysconfdir}/ssl/ > > # Although absolute symlinks would be OK for the target, they become > # invalid if native or nativesdk are relocated from sstate. > - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs > ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private > ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', > '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf When you asked about this in the previous email, I questioned whether we still needed the symlink. Did you check into that? I suspect we may need it as openssl itself may reference that path internally? Cheers, Richard ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-06 6:55 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-11-03 13:44 openssl: Do not create /etc/ssl/certs nate.karstens 2020-11-03 13:44 ` [OE-core][PATCH] " Nate Karstens 2020-11-03 13:47 ` Nate Karstens 2020-11-03 16:00 ` Richard Purdie 2020-11-06 6:55 ` Nate Karstens
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox