On 2/5/20 11:12 AM, Dan Nicholson wrote:
I recently ran into this same issue and dug into it for a while. The real problem stems from https://sourceware.org/bugzilla/show_bug.cgi?id=23960. The issue is that glibc 2.28 changed readdir to always use getdents64. This causes problems when you're running a 32 bit guest in QEMU on a 64 bit host. So, this would also affect running an i386 guest on an x86_64 host, for example.
Thanks for the details. This appears more to me now that this is a lower level issue than the symptomatic behavior we see in processing certificates. (ie. this is not a bug with ca-certificates, but with openssl)
<snip>
So, I think there are a few options on what to do. 1. Change update-ca-certificates back to using c_rehash. Presumably perl is built with LFS and it's readdir wrapper DTRT.
c_rehash could be removed at any time, so I don't think this is a good option.
2. Build openssl with LFS as noted above.
Noted, thanks. This is why I am starting to believe this is a bug with openssl, not ca-certificates.
3. Wait for a fix to be hashed out between the glibc, kernel and qemu folks.
..which I suppose is indeed the eventual lower level issue to resolve, below openssl.
-- Kind regards, Michael
