[OE-core] [PATCH] ca-certificates: prevent executing update-ca-certificates from host system
Andrej Valek
andrej.valek at siemens.com
Wed Aug 23 12:07:49 UTC 2017
Hello Richard,
I have found out that even master with HOSTTOOLS does not fix my problem.
We use ASSUME_PROVIDED for ca-certificates-native due to corporate
environment CAs.
Since nativesdk-ca-certificates depends on ca-certificates-native which
is not built, so it could not be found.
Unfortunately adding update-ca-certificates to HOSTTOOLS is not working,
since build user does not have permissions to modify system CAs and also
is in /usr/sbin/ which is not in usual system path.
Therefore I think that this patch applies for master branch, too.
Possible improvement would be also removing ca-certificates-native from
DEPENDS of class-nativesdk.
Solution of installing corporate CAs within OE recipe does not seem to
be ideal, because the CAs have short expiration date. So using system
CAs assures reachability of resources over https.
We had to do this because svn fetcher uses https without option to
ignore errors (unlike wget which ignores certificates by default).
Regards,
Andrej
On 08/21/2017 08:12 AM, [ext] Andrej Valek wrote:
> Hello Armin,
>
> Could You please merge it into krogoth and morty branch?
>
> @Randy: last commit into those branches was ~5weeks ago, so they are
> still maintained.
>
> Regards,
> Andrej
>
> On 08/18/2017 05:46 PM, Randy MacLeod wrote:
>> On 2017-08-18 06:05 AM, Andrej Valek wrote:
>>> OK thank You, so please merge it into these branches.
>>
>> Add Armin, who maintains those branches:
>> https://wiki.yoctoproject.org/wiki/Releases
>> Is Krogoth still maintained? It's listed at Stable in the link above.
>>
>> ../Randy
>>
>>
>>
>>>
>>> Regards,
>>> Andrej
>>>
>>> On 08/18/2017 11:35 AM, Richard Purdie wrote:
>>>> On Fri, 2017-08-18 at 08:26 +0200, Andrej Valek wrote:
>>>>> Yes, for actual branch is not required. But for branches like krogoth
>>>>> and morty, where HOSTTOOLS is not implemented, is this necessary.
>>>>
>>>> Lets just apply this to krogoth/morty then...
>>>>
>>>> Cheers,
>>>>
>>>> Richard
>>>>
>>
>>
More information about the Openembedded-core
mailing list