Overview
Request 504997 superseded
needs to go with SR#504984
- Created by lnussel
- In state superseded
- Superseded by 515015
- Open review for factory-staging
Request History
lnussel created request
needs to go with SR#504984
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto added factory-repo-checker as a reviewer
Please review build success
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
maxlin_factory set openSUSE:Factory:Staging:F as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:F"
maxlin_factory accepted review
Picked openSUSE:Factory:Staging:F
dimstar accepted review
factory-repo-checker reopened review
ca-certificates is still building for repository openSUSE_Factory
factory-repo-checker accepted review
Builds for repo openSUSE:Factory:Staging:F/standard
dimstar_suse approved review
Removing from openSUSE:Factory:Staging:F, re-evaluation needed
dimstar_suse accepted review
Removing from openSUSE:Factory:Staging:F, re-evaluation needed
dimstar_suse added factory-staging as a reviewer
Requesting new staging review
superseded by 515015
This one seems to be responsible for quite some weird fallouts - likely some configure scripts now no longer find one of the files they are looking for (as update-ca-certificates -f no longer runs on the build system)
See for example build fails of
CC @kukuk who made the change; the build system is not systemd managed and has does not fire the services (init=/.build/build)
The best course might be to still call update-ca-certificates if -f /.buildenv
I'd rather go for something like test -w /var/lib/ca-certificates
Sounds like a reasonable option too; but that would mean on a running system with the service enabled, it is running twice: in the post script and then triggered by the service again
yes and no. If no ca-certificates change the service wouldn't trigger and even if it would most hook script won't regenerate their output. That's why the %post calls update-ca-certificates with the -f option to force regenerate all output files.
Hm, /var/lib/ca-certificates is always writeable if we update ca-certificates, even in transactional-update case. But the result may not be correct, since not all certificates are accessible (/etc).
But those would be corrected on next boot, when the oneshot service comes up and re-generates the files, no? (and reboot is needed for transactional updates in any case)
or we add that test directly to update-ca-certificates
Any consensus on the way forward here?
Yes, see bsc#1045942, transactional-update has the needed changes in Factory, waiting for Ludwig.
Backlog, until a fix can be prepared to not break build system setups