[Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

Romain Naour romain.naour at gmail.com
Sat Nov 20 13:44:18 UTC 2021 

Hello Peter, Yann,

Le 20/11/2021 à 09:50, Yann E. MORIN a écrit :
> Peter, Romain, All,
> 
> On 2021-11-18 13:22 +0100, Peter Korsgaard spake thusly:
>>>>>>> "Romain" == Romain Naour <romain.naour at gmail.com> writes:
>>  >> > https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg
>>  >> > Signed-off-by: Romain Naour <romain.naour at gmail.com>
>>  >> > Cc: Yann E. MORIN <yann.morin.1998 at free.fr>
>>  >> > ---
>>  >> > Backport this patch for 2021.08.x and 2021.02.x using buildroot/base:20200814.2228
>>  >> 
>>  >> How does this actually work? Who builds that container? Do we not need
>>  >> a corresponding update of .gitlab-ci.yml then?
>>
>>  > Well, usually it's Arnout or Yann that build and push containers to dockerhub.
>>  > On master we recently switched to gitlab registry, so maintainers and developers
>>  > of Buildroot gitlab project can update containers.
>>
>>  > The .gitlab-ci.yml is changed as soon as the container is rebuild using the
>>  > updated Dockerfile (after the commit of Dockerfile change).
>>
>> Ok, so all manually.
>>
>>  >> 2021-11-18 09:20:10 (16.5 MB/s) - 'aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2' saved [127456563/127456563]
>>  >> 
>>  > Indeed but we may introduce some (unlikely) regression in the testsuite.
>>
>> If there are regressions, then it would be better to handle them as
>> people might run into the same issues. Debian 9 is old, no matter if we
>> look at the 2017 snapshot or the last bugfix (2020), so I testing
>> against that might be the best solution?
> 
> I was not sure Stretch was still maintained (I did not even check), but
> now I tested the stretch-20211115 snapshot, and indeed the certificate
> issue is no longer.
> 
> The risk of regressioni if we update is very low, because Debian really
> is stable; after 4 years of maintenance, there is not many things that
> move anymore.
> 
> So I agree that updating to the latest stretch image is better than
> hacking our ways by removing some certificate.

OK, can you update the docker image ?

Best regards,
Romain


> 
> Regards,
> Yann E. MORIN.
>

More information about the buildroot mailing list