mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
d792f1a83e10d8f11b8824caef89079e684d56e0
poky/meta
History
Moritz Haase d792f1a83e curl: Use host CA bundle by default for native(sdk) builds 
Fixes YOCTO #16077

Commit 0f98fecd (a backport of 4909a46e) broke HTTPS downloads in opkg in the
SDK, they now fail with:

> SSL certificate problem: self-signed certificate in certificate chain

The root cause is a difference in the handling of related env vars between
curl-cli and libcurl. The CLI will honour CURL_CA_BUNDLE and SSL_CERT_DIR|FILE
(see [0]). Those are set in the SDK via env setup scripts like [1], so curl
continued to work. The library however does not handle those env vars. Thus,
unless the program utilizing libcurl has implemented a similar mechanism itself
and configures libcurl accordingly via the API (like for example Git in [2] and
[3]), there will be no default CA bundle configured to verify certificates
against.

Opkg only supports setting the CA bundle path via config options 'ssl_ca_file'
and 'ssl_ca_path'. Upstreaming and then backporting a patch to add env var
support is not a feasible short-time fix for the issue at hand. Instead it's
better to ship libcurl in the SDK with a sensible built-in default - which also
helps any other libcurl users.

This patch is based on a proposal by Peter.Marko@siemens.com in the related
mailing list discussion at [4].

(cherry picked from commit 3f819f57aa1960af36ac0448106d1dce7f38c050)

[0]: 400fffa90f/src/tool_operate.c (L2056-L2084)
[1]: https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/curl/curl/environment.d-curl.sh?id=3a15ca2a784539098e95a3a06dec7c39f23db985
[2]: 6ab38b7e9c/http.c (L1389)
[3]: 6ab38b7e9c/http.c (L1108-L1109)
[4]: https://lists.openembedded.org/g/openembedded-core/topic/115993530#msg226751

(From OE-Core rev: 0e553b685c0a987a7be1eee16b7b5e3e48a036e2)

Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
CC: matthias.schiffer@ew.tq-group.com
CC: Peter.Marko@siemens.com
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-12-31 07:49:31 -08:00
..
classes
spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX
2025-12-31 07:49:31 -08:00
classes-global
lib/license: Move package license skip to library
2025-11-14 06:45:29 -08:00
classes-recipe
cml1.bbclass: use consistent make flags for menuconfig
2025-12-31 07:49:31 -08:00
conf
conf/bitbake.conf: use gnu mirror instead of main server
2025-10-13 12:42:58 -07:00
files
meta: Enable '-o pipefail' for the SDK installer
2025-03-05 06:03:47 -08:00
lib
oeqa/selftest: oe-selftest: Add SPDX tests for kernel config and PACKAGECONFIG
2025-12-31 07:49:31 -08:00
recipes-bsp
u-boot: fix CVE-2024-42040
2025-11-03 07:17:02 -08:00
recipes-connectivity
wpa-supplicant: patch CVE-2025-24912
2025-11-07 06:54:40 -08:00
recipes-core
libxml2: Security fix for CVE-2025-7425
2025-12-17 08:48:37 -08:00
recipes-devtools
ruby: Upgrade 3.3.5 -> 3.3.10
2025-12-31 07:49:31 -08:00
recipes-extended
cups 2.4.11: Fix CVE-2025-61915
2025-12-31 07:49:31 -08:00
recipes-gnome
gdk-pixbuf: fix CVE-2025-7345
2025-07-21 09:07:21 -07:00
recipes-graphics
glslang: fix compiling with gcc15
2025-11-26 07:50:35 -08:00
recipes-kernel
wireless-regdb: upgrade 2024.10.07 -> 2025.10.07
2025-11-14 06:45:29 -08:00
recipes-multimedia
libpng: patch CVE-2025-66293
2025-12-17 08:48:37 -08:00
recipes-rt
rt-tests: rt_bmark.py: fix TypeError
2024-08-06 19:11:18 -07:00
recipes-sato
webkitgtk: upgrade 2.44.3 -> 2.44.4
2025-11-14 06:45:29 -08:00
recipes-support
curl: Use host CA bundle by default for native(sdk) builds
2025-12-31 07:49:31 -08:00
site
site: remove at-spi2-core values
2023-09-02 07:45:29 +01:00
COPYING.MIT
recipes.txt