Skip to content

fix(stackable-base): Update expected ca-certificates package name #1351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 20, 2025
Merged

fix(stackable-base): Update expected ca-certificates package name #1351

merged 1 commit into from
Nov 20, 2025

Conversation

@Techassi
Copy link
Member

@Techassi Techassi commented Nov 20, 2025

The ca-certificates packages was recently updated and caused pretty much all image builds to fail. This PR updates the expected package name to the actual package name.

A local test build of the stackable-base image was successful.

@Techassi Techassi self-assigned this Nov 20, 2025
@Techassi Techassi moved this to Development: Waiting for Review in Stackable Engineering Nov 20, 2025
sbernauer
sbernauer approved these changes Nov 20, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to be sure, you checked trust list --filter=ca-anchors | grep 'E-Tugra'?

@sbernauer sbernauer moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Nov 20, 2025
@Techassi
Copy link
Member Author

Techassi commented Nov 20, 2025

Just to be sure, you checked trust list --filter=ca-anchors | grep 'E-Tugra'?

Yes I did, it is gone as expected:

docker run -it oci.stackable.tech/sdp/stackable-base:1.0.0-stackable0.0.0-dev-amd64
[root@8932cda1dbe4 /]# trust list --filter=ca-anchors | grep 'E-Tugra'
[root@8932cda1dbe4 /]#

@sbernauer
Copy link
Member

sbernauer commented Nov 20, 2025

Oh nice! In that case I'd say we can remove the entire CVE-2023-37920 handling

@Techassi
Copy link
Member Author

Techassi commented Nov 20, 2025

Oh yeah, you might be right.

I will test this after this PR is merged and will raise a new one if we are sure it is gone.

@sbernauer
Copy link
Member

sbernauer commented Nov 20, 2025

Works for me 👍

@Techassi Techassi added this pull request to the merge queue Nov 20, 2025
@Techassi Techassi moved this from Development: In Review to Development: Done in Stackable Engineering Nov 20, 2025
Merged via the queue into main with commit ed77c62 Nov 20, 2025
3 checks passed
@Techassi Techassi deleted the fix/base-e-tugra-certs branch November 20, 2025 08:32
@Techassi
Copy link
Member Author

Techassi commented Nov 20, 2025

Okay I just checked if the CA certificates are gone before we update the root trust store via our blocklist. And yes, they are still there. I temporarily removed our blocklist and our check fails:

0.920 Still found E-Tugra root certificates, this should not happen!
0.992     label: E-Tugra Certification Authority
0.992     label: E-Tugra Global Root CA ECC v3
0.992     label: E-Tugra Global Root CA RSA v3

As such, the handling cannot be removed yet and we still need our blocklist to be in place.

@sbernauer
Copy link
Member

sbernauer commented Nov 20, 2025

Ahh, that makes sense. Thanks for checking

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sbernauer sbernauer sbernauer approved these changes

Assignees

@Techassi Techassi

Labels

None yet

Projects

Stackable Engineering
Status: Development: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Techassi @sbernauer