From: nate.karstens@garmin.com
To: openembedded-core@lists.openembedded.org
Subject: openssl: Proposal to stop creating /etc/ssl/certs
Date: Fri, 30 Oct 2020 10:25:31 -0700 [thread overview]
Message-ID: <xP9d.1604078731359224154.jFZQ@lists.openembedded.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 1934 bytes --]
Greetings,
The openssl recipe installs an empty folder /etc/ssl/certs. This is eventually where other recipes like ca-certificates can copy CA certificates for the system. We are working on a tool that can hot-swap those certificates at runtime. The only way to have this transition be seamless and atomic is to make /etc/ssl/certs a symlink to another folder that contains the actual certificates; to update the certificates we just replace the symlink.
Our recipe for this tool conflicts with the empty folder in the openssl package. We were wondering if it made sense to change the openssl recipe to no longer create this folder, the idea being that recipes that populate the folder (like ca-certificates) would be responsible for creating it.
Here is a link to the recipe:
https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb ( https://urldefense.com/v3/__https:/git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb__;!!EJc4YC3iFmQ!CgiLpD5LsQ6adCzphoFeUHIvQm-M8g2nkDA4_4gtF71eHm20Q0lGSwMahtdHA3ybWA$ )
Line 135 does contain a note that Debian sets up the SSL structure. Creating a placeholder for where CA certificates would eventually go makes sense with certain systems. There could be desktop distros that rely on the user to manually install the certs they need for their organization and providing a location for this would be helpful. I don’t think this makes sense for the typical embedded system where this folder is on a read-only filesystem.
I've just been testing locally with a bbappend that uses rmdir to remove the folder, but unless there are objections I will submit a patch that removes lines 137 (moving the 'mv' to the next line) and 144. I think line 152 can remain in case the variable is useful to anyone.
Thanks,
Nate Karstens
Marine Software Engineering
Garmin International, Inc.
[-- Attachment #2: Type: text/html, Size: 39205 bytes --]
next reply other threads:[~2020-10-30 17:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-30 17:25 nate.karstens [this message]
2020-10-31 0:41 ` [OE-core] openssl: Proposal to stop creating /etc/ssl/certs Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xP9d.1604078731359224154.jFZQ@lists.openembedded.org \
--to=nate.karstens@garmin.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox