| Message ID | 20250903081113.3182850-1-haixiao.yan.cn@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [1/1] environment.d-openssl.sh: fix unbound variable with 'set -u' | expand |
On Wed, 3 Sept 2025 at 10:11, Yan, Haixiao (CN) via lists.openembedded.org <Haixiao.Yan.CN=windriver.com@lists.openembedded.org> wrote: > Note: environment.d-curl.sh, environment.d-python3-requests.sh, > and environment.d-git.sh have the same issue and should be fixed > similarly. Which means we either have to fix everything (and somehow ensure it won't regress), or just have a requirement that 'set -u' is not used. I don't think it's right to fix such issues halfway. Alex
On 2025/9/3 20:24, Alexander Kanavin wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > On Wed, 3 Sept 2025 at 10:11, Yan, Haixiao (CN) via > lists.openembedded.org > <Haixiao.Yan.CN=windriver.com@lists.openembedded.org> wrote: >> Note: environment.d-curl.sh, environment.d-python3-requests.sh, >> and environment.d-git.sh have the same issue and should be fixed >> similarly. > Which means we either have to fix everything (and somehow ensure it > won't regress), or just have a requirement that 'set -u' is not used. > I don't think it's right to fix such issues halfway. This patch addresses all the affected files introduced by the commit https://git.openembedded.org/openembedded-core/commit/meta?id=8a7ec52e9b35654bee48cd948c6c34c63db3e265. Could you please clarify what you mean by "fix everything"? Thanks, Haixiao > > Alex
On Thu, 4 Sept 2025 at 04:59, Haixiao Yan <haixiao.yan.cn@windriver.com> wrote: > > <Haixiao.Yan.CN=windriver.com@lists.openembedded.org> wrote: > >> Note: environment.d-curl.sh, environment.d-python3-requests.sh, > >> and environment.d-git.sh have the same issue and should be fixed > >> similarly. > > Which means we either have to fix everything (and somehow ensure it > > won't regress), or just have a requirement that 'set -u' is not used. > > I don't think it's right to fix such issues halfway. > This patch addresses all the affected files introduced by the commit > https://git.openembedded.org/openembedded-core/commit/meta?id=8a7ec52e9b35654bee48cd948c6c34c63db3e265. > > > Could you please clarify what you mean by "fix everything"? There are a lot of scripts in oe-core itself, and in the content produced by recipes, and I can imagine most of them are going to have the same issue with set -u, because generally shell code is not written with the guards for it. I would like to understand what makes these particular scripts special. Why are they causing problems for you but not anything else written in shell? It's difficult to believe that nothing else hits the same problem. Please describe how, and why you use set -u. Alex
On 9/4/2025 6:38 PM, Alexander Kanavin wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > On Thu, 4 Sept 2025 at 04:59, Haixiao Yan <haixiao.yan.cn@windriver.com> wrote: >>> <Haixiao.Yan.CN=windriver.com@lists.openembedded.org> wrote: >>>> Note: environment.d-curl.sh, environment.d-python3-requests.sh, >>>> and environment.d-git.sh have the same issue and should be fixed >>>> similarly. >>> Which means we either have to fix everything (and somehow ensure it >>> won't regress), or just have a requirement that 'set -u' is not used. >>> I don't think it's right to fix such issues halfway. >> This patch addresses all the affected files introduced by the commit >> https://git.openembedded.org/openembedded-core/commit/meta?id=8a7ec52e9b35654bee48cd948c6c34c63db3e265. >> >> >> Could you please clarify what you mean by "fix everything"? > There are a lot of scripts in oe-core itself, and in the content > produced by recipes, and I can imagine most of them are going to have > the same issue with set -u, because generally shell code is not > written with the guards for it. > > I would like to understand what makes these particular scripts > special. Why are they causing problems for you but not anything else > written in shell? It's difficult to believe that nothing else hits the > same problem. > > Please describe how, and why you use set -u. 1.Generate the SDK — bitbake -c populate_sdk imageRecipeName 2.Install the SDK using the .sh script 3.Open a fresh bash shell - IMPORTANT 4.set -eu 5.source the SDK It was working properly before the commit https://git.openembedded.org/openembedded-core/commit/meta?id=8a7ec52e9b35654bee48cd948c6c34c63db3e265. Therefore, it appears that this may be a regression issue. Thanks, Haixiao > > Alex
On Fri, 5 Sept 2025 at 07:12, Yan, Haixiao (CN) <haixiao.yan.cn@windriver.com> wrote: > > Please describe how, and why you use set -u. > 1.Generate the SDK — bitbake -c populate_sdk imageRecipeName > 2.Install the SDK using the .sh script > 3.Open a fresh bash shell - IMPORTANT > 4.set -eu > 5.source the SDK > > It was working properly before the commit > https://git.openembedded.org/openembedded-core/commit/meta?id=8a7ec52e9b35654bee48cd948c6c34c63db3e265. Thanks. But why set -eu is used to begin with? Alex
On 9/5/2025 6:31 PM, Alexander Kanavin wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > On Fri, 5 Sept 2025 at 07:12, Yan, Haixiao (CN) > <haixiao.yan.cn@windriver.com> wrote: >>> Please describe how, and why you use set -u. >> 1.Generate the SDK — bitbake -c populate_sdk imageRecipeName >> 2.Install the SDK using the .sh script >> 3.Open a fresh bash shell - IMPORTANT >> 4.set -eu >> 5.source the SDK >> >> It was working properly before the commit >> https://git.openembedded.org/openembedded-core/commit/meta?id=8a7ec52e9b35654bee48cd948c6c34c63db3e265. > Thanks. But why set -eu is used to begin with? We are following the industry best practices for example https://sharats.me/posts/shell-script-best-practices/ — The Sharat's points #4 and #5. In this specific scenario the changes done in https://git.openembedded.org/openembedded-core/commit/meta?id=8a7ec52e9b35654bee48cd948c6c34c63db3e265 make it impossible for us to source the SDK due to SSL_CERT_FILE being unset. Thanks, Haixiao > > Alex
On Fri, 5 Sept 2025 at 12:38, Yan, Haixiao (CN) <haixiao.yan.cn@windriver.com> wrote: > > Thanks. But why set -eu is used to begin with? > We are following the industry best practices for example > https://sharats.me/posts/shell-script-best-practices/ — The Sharat's > points #4 and #5. Right. But then why not also add 'set -eu' to the beginning of all of these scripts, so it's enforced, and prevents future regressions? If you agree, can you add a second commit and resend? Alex
On 9/5/2025 6:42 PM, Alexander Kanavin wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > On Fri, 5 Sept 2025 at 12:38, Yan, Haixiao (CN) > <haixiao.yan.cn@windriver.com> wrote: >>> Thanks. But why set -eu is used to begin with? >> We are following the industry best practices for example >> https://sharats.me/posts/shell-script-best-practices/ — The Sharat's >> points #4 and #5. > Right. But then why not also add 'set -eu' to the beginning of all of > these scripts, so it's enforced, and prevents future regressions? If > you agree, can you add a second commit and resend? OK,I will create a new patch for this. Thanks, Haixiao > > Alex
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh index c635be8acab3..d989a2279183 100644 --- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh +++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh @@ -4,16 +4,16 @@ export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3" # Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools # CAFILE/CAPATH is auto-deteced when source buildtools -if [ -z "$SSL_CERT_FILE" ]; then - if [ -n "$CAFILE" ];then +if [ -z "${SSL_CERT_FILE:-}" ]; then + if [ -n "${CAFILE:-}" ];then export SSL_CERT_FILE="$CAFILE" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt" fi fi -if [ -z "$SSL_CERT_DIR" ]; then - if [ -n "$CAPATH" ];then +if [ -z "${SSL_CERT_DIR:-}" ]; then + if [ -n "${CAPATH:-}" ];then export SSL_CERT_DIR="$CAPATH" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs" diff --git a/meta/recipes-devtools/git/git/environment.d-git.sh b/meta/recipes-devtools/git/git/environment.d-git.sh index 9c7b5a92512a..fdfa721c3b2e 100644 --- a/meta/recipes-devtools/git/git/environment.d-git.sh +++ b/meta/recipes-devtools/git/git/environment.d-git.sh @@ -1,15 +1,15 @@ # Respect host env GIT_SSL_CAINFO/GIT_SSL_CAPATH first, then auto-detected host cert, then cert in buildtools # CAFILE/CAPATH is auto-deteced when source buildtools -if [ -z "$GIT_SSL_CAINFO" ]; then - if [ -n "$CAFILE" ];then +if [ -z "${GIT_SSL_CAINFO:-}" ]; then + if [ -n "${CAFILE:-}" ];then export GIT_SSL_CAINFO="$CAFILE" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export GIT_SSL_CAINFO="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" fi fi -if [ -z "$GIT_SSL_CAPATH" ]; then - if [ -n "$CAPATH" ];then +if [ -z "${GIT_SSL_CAPATH:-}" ]; then + if [ -n "${CAPATH:-}" ];then export GIT_SSL_CAPATH="$CAPATH" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export GIT_SSL_CAPATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs" diff --git a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh index 492177a9c377..400972814b6e 100644 --- a/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh +++ b/meta/recipes-devtools/python/python3-requests/environment.d-python3-requests.sh @@ -1,7 +1,7 @@ # Respect host env REQUESTS_CA_BUNDLE first, then auto-detected host cert, then cert in buildtools # CAFILE/CAPATH is auto-deteced when source buildtools -if [ -z "$REQUESTS_CA_BUNDLE" ]; then - if [ -n "$CAFILE" ];then +if [ -z "${REQUESTS_CA_BUNDLE:-}" ]; then + if [ -n "${CAFILE:-}" ];then export REQUESTS_CA_BUNDLE="$CAFILE" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export REQUESTS_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" diff --git a/meta/recipes-support/curl/curl/environment.d-curl.sh b/meta/recipes-support/curl/curl/environment.d-curl.sh index 7c2971b3dad1..581108ef35d8 100644 --- a/meta/recipes-support/curl/curl/environment.d-curl.sh +++ b/meta/recipes-support/curl/curl/environment.d-curl.sh @@ -1,15 +1,15 @@ # Respect host env CURL_CA_BUNDLE/CURL_CA_PATH first, then auto-detected host cert, then cert in buildtools # CAFILE/CAPATH is auto-deteced when source buildtools -if [ -z "$CURL_CA_PATH" ]; then - if [ -n "$CAFILE" ];then +if [ -z "${CURL_CA_PATH:-}" ]; then + if [ -n "${CAFILE:-}" ];then export CURL_CA_BUNDLE="$CAFILE" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export CURL_CA_BUNDLE="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" fi fi -if [ -z "$CURL_CA_PATH" ]; then - if [ -n "$CAPATH" ];then +if [ -z "${CURL_CA_PATH:-}" ]; then + if [ -n "${CAPATH:-}" ];then export CURL_CA_PATH="$CAPATH" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then export CURL_CA_PATH="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs"