[OE-core] native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)
Otavio Salvador
otavio.salvador at ossystems.com.br
Tue Nov 21 12:52:25 UTC 2017
On Tue, Nov 21, 2017 at 10:21 AM, Patrick Ohly <patrick.ohly at intel.com> wrote:
> On Tue, 2017-11-21 at 10:06 -0200, Otavio Salvador wrote:
>> On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly <patrick.ohly at intel.com
>> > wrote:
>> > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
>> > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883
>> > open
>> > about some aspect of this, but it doesn't actually address the
>> > underlying question about what the right behavior should be. It's
>> > based
>> > on the assumption that libcurl-native should always use ca-
>> > certificates-native.
>> >
>> > Thoughts anyone?
>>
>> I agree it should use ca-certificates-native for all native; it
>> allows for self-signed internal certificates to be added for internal
>> development.
>
> But that's not what bitbake itself uses. Are you saying that bitbake
> fetchers etc. should also use whatever certificates are configured for
> ca-certificates-native? That leads to a chicken-and-egg problem.
>
> A solution where custom certificates need to be configured in two
> different places (system for bitbake, ca-certificates-native for some
> other tools) sounds sub-optimal to me.
I know and we could override it to a place.
We ended doing it ourselves:
https://github.com/updatehub/meta-updatehub/commit/e9c34faddb6a59d560147798b37ac6a0e3fa57bf
but this is not generic.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
More information about the Openembedded-core
mailing list