diff options
| author | Colin Walters <walters@verbum.org> | 2017-07-07 13:19:18 -0400 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2017-07-10 17:25:41 +0200 |
| commit | bc2f4c69bd319313dab9d85a6f8d622501593b0a (patch) | |
| tree | d74d59d0d2a94a68565a839dd5aa0078195fb395 /trust/frob-token.c | |
| parent | 9dd50249b597109c5956a531e44d46dc344daea5 (diff) | |
conf: Introduce P11_KIT_NO_USER_CONFIG
Currently `ca-certificates.spec` in Fedora ends up doing in `%post`:
```
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
```
etc.
And due to this bit of code in p11-kit, we end up looking for the home
directory for configuration. In this case, `/root`.
It's categorically wrong to do this; the root user is distinct from
"the system". This issue is equivalent to one I fixed in Pango:
https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c
Fast forward to today, and the reason I'm making this change is I'm working on
`rpm-ostree ex container`, which builds containers as *non-root* (like
gnome-continuous does, but now with RPMs), keeping the invoking uid. And this
bug causes the `ca-certificates` `%post` to fail because it's trying to look for
my uid 1000 which doesn't exist in the target rootfs' password database.
Again, there's no reason to be looking for a home directory for system triggers,
regadless of UID, so once this patch lands, I'll update `ca-certificates` to use
it, and traditional RPM `%post` will stop looking in `/root` too.
Diffstat (limited to 'trust/frob-token.c')
0 files changed, 0 insertions, 0 deletions