[scarthgap,8/8] curl: only set CA bundle in target build

Message ID	0f98fecda8a0436f760e6fd9f3b7eb510e5258b8.1761596406.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.179, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 8/8] curl: only set CA bundle in target build Date: Tue, 28 Oct 2025 06:46:18 -0700 Message-ID: <0f98fecda8a0436f760e6fd9f3b7eb510e5258b8.1761596406.git.steve@sakoman.com> In-Reply-To: <cover.1761596406.git.steve@sakoman.com> References: <cover.1761596406.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,1/8] libpam: mark CVE-2025-6018 as not applicable \| expand [scarthgap,1/8] libpam: mark CVE-2025-6018 as not applicable [scarthgap,2/8] expat: patch CVE-2025-59375 [scarthgap,3/8] elfutils: Fix CVE-2025-1376 [scarthgap,4/8] elfutils: Fix CVE-2025-1377 [scarthgap,5/8] flex: fix build with gcc-15 on host [scarthgap,6/8] gstreamer1.0-plugins-bad: fix buffer allocation fail for v4l2codecs [scarthgap,7/8] iptables: remove /etc/ethertypes [scarthgap,8/8] curl: only set CA bundle in target build

Message ID

0f98fecda8a0436f760e6fd9f3b7eb510e5258b8.1761596406.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 8/8] curl: only set CA bundle in target build
Date: Tue, 28 Oct 2025 06:46:18 -0700
Message-ID: 
 <0f98fecda8a0436f760e6fd9f3b7eb510e5258b8.1761596406.git.steve@sakoman.com>
In-Reply-To: <cover.1761596406.git.steve@sakoman.com>
References: <cover.1761596406.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,1/8] libpam: mark CVE-2025-6018 as not applicable | expand

Commit Message

Steve Sakoman Oct. 28, 2025, 1:46 p.m. UTC

From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>

In native/nativesdk builds, sysconfdir refers to a recipe sysroot
directory, which will disappear once the workdir is cleaned up, breaking
libcurl's HTTPS connections.

By simply not setting --with-ca-bundle at all in non-target builds, curl
defaults to the host system's CA certificates, which is desirable anyways
to allow builds in environments that require local CA certificates.

(From OE-Core rev: 4909a46e93ba774c960c3d3c277e2a669af3fea6)

Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/curl/curl_8.7.1.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-support/curl/curl_8.7.1.bb b/meta/recipes-support/curl/curl_8.7.1.bb
index 6ed3d6e84d..713d90a378 100644
--- a/meta/recipes-support/curl/curl_8.7.1.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -94,11 +94,13 @@  PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd"
 EXTRA_OECONF = " \
     --disable-libcurl-option \
     --disable-ntlm-wb \
-    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
     --without-libpsl \
     --enable-optimize \
     ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \
 "
+EXTRA_OECONF:append:class-target = " \
+    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
+"
 
 fix_absolute_paths () {
 	# cleanup buildpaths from curl-config

[scarthgap,8/8] curl: only set CA bundle in target build

Commit Message

Patch