From 3637f18b23440b50cea64747dc206027dbf88f07 Mon Sep 17 00:00:00 2001
From: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Date: Mon, 17 Jun 2024 19:08:49 -0300
Subject: [PATCH] Patch ca-certificates package

Command /usr/sbin/update-ca-certificates updates the system
certificate bundle with the below ( simplified ) logic:

- delete the bundle
- create a new bundle as /etc/ssl/certs/ca-certificates.crt.tmp.XXXX
- mv /etc/ssl/certs/ca-certificates.crt.tmp.XXXX to
  /etc/ssl_certs/ca-certificates.crt

This makes the bundle file to be non-existent for a while and that
causes FileNotFound errors for processes trying to read the file too
frequently such as http clients performing TLS verification.

This change removes the delete operation. The current bundle file will
now be replaced in its entirety by the atomic move operation.

Test plan:
PASS Full build, install, bootstrap and unlock
PASS Verify that the delete operation is no longer found in
     /usr/sbin/update-ca-certificates
PASS Start a process to read from the certificate bundle in
     very short intervals. Run 'update-ca-certificates
     --localcertsdir /etc/pki/ca-trust/source/anchors'
     many times and verify that no FileNotFound errors
     show up in the process reading the certificate bundle.

Closes-Bug: 2073123
Depends-on: https://review.opendev.org/c/starlingx/root/+/922519

Change-Id: If79156dc2024e5d2ab676a6e812798dbd0a355da
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
---
 base/ca-certificates/debian/meta_data.yaml    | 10 ++++++++
 ...plicit-delete-while-update-CA-bundle.patch | 24 +++++++++++++++++++
 base/ca-certificates/debian/patches/series    |  1 +
 debian_iso_image.inc                          |  2 ++
 debian_pkg_dirs                               |  1 +
 5 files changed, 38 insertions(+)
 create mode 100644 base/ca-certificates/debian/meta_data.yaml
 create mode 100644 base/ca-certificates/debian/patches/0001-Remove-explicit-delete-while-update-CA-bundle.patch
 create mode 100644 base/ca-certificates/debian/patches/series

diff --git a/base/ca-certificates/debian/meta_data.yaml b/base/ca-certificates/debian/meta_data.yaml
new file mode 100644
index 000000000..b6012ed34
--- /dev/null
+++ b/base/ca-certificates/debian/meta_data.yaml
@@ -0,0 +1,10 @@
+---
+debver: 20210119
+debname: ca-certificates
+dl_path:
+  name: ca-certificates-archive-debian-20210119.tar.gz
+  url: https://salsa.debian.org/debian/ca-certificates/-/archive/archive/debian/20210119/ca-certificates-archive-debian-20210119.tar.gz
+  sha256sum: a639f1d0598fa8f7a864c7c93860bde2eb00c5a51e66c0f7b0e716f092852eaf
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true
diff --git a/base/ca-certificates/debian/patches/0001-Remove-explicit-delete-while-update-CA-bundle.patch b/base/ca-certificates/debian/patches/0001-Remove-explicit-delete-while-update-CA-bundle.patch
new file mode 100644
index 000000000..0d3077bd0
--- /dev/null
+++ b/base/ca-certificates/debian/patches/0001-Remove-explicit-delete-while-update-CA-bundle.patch
@@ -0,0 +1,24 @@
+From c0006b7d23fc1c9014ecc8b5da51042e912bcac2 Mon Sep 17 00:00:00 2001
+From: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
+Date: Mon, 17 Jun 2024 19:00:28 -0300
+Subject: [PATCH] Remove explicity delete while update CA bundle
+
+---
+ sbin/update-ca-certificates | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
+index b27c6bd..473e90e 100755
+--- a/sbin/update-ca-certificates
++++ b/sbin/update-ca-certificates
+@@ -164,8 +164,6 @@ then
+   done
+ fi
+
+-rm -f "$CERTBUNDLE"
+-
+ ADDED_CNT=$(wc -l < "$ADDED")
+ REMOVED_CNT=$(wc -l < "$REMOVED")
+
+--
+2.34.1
diff --git a/base/ca-certificates/debian/patches/series b/base/ca-certificates/debian/patches/series
new file mode 100644
index 000000000..79e3eaa1c
--- /dev/null
+++ b/base/ca-certificates/debian/patches/series
@@ -0,0 +1 @@
+0001-Remove-explicit-delete-while-update-CA-bundle.patch
\ No newline at end of file
diff --git a/debian_iso_image.inc b/debian_iso_image.inc
index 18ba38515..547b313a5 100644
--- a/debian_iso_image.inc
+++ b/debian_iso_image.inc
@@ -432,3 +432,5 @@ trident-installer
 
 #watchdog
 watchdog
+
+ca-certificates
diff --git a/debian_pkg_dirs b/debian_pkg_dirs
index 74bc460ac..1610d302b 100644
--- a/debian_pkg_dirs
+++ b/debian_pkg_dirs
@@ -9,6 +9,7 @@ base/linuxptp
 base/lvm2
 base/lsb
 base/openssl
+base/ca-certificates
 base/pf-bb-config
 base/synce4l
 base/systemd