Created attachment 884162 [details, diff] patch src_prepare to allow user patch from work folder To blacklist some certs from mozilla, we need to patch file ca-certificates/mozilla/blacklist.txt. Below is a sample patch file. ----------------------------------- /etc/portage/patches/app-misc/ca-certificates/block_cn_certs.patch --- a/ca-certificates/mozilla/blacklist.txt 2023-03-11 16:37:33.000000000 +0800 +++ b/ca-certificates/mozilla/blacklist.txt 2023-12-09 17:40:21.130596943 +0800 @@ -2,5 +2,15 @@ # Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors "Explicitly Distrust DigiNotar Root CA" +"CFCA EV ROOT" +"GDCA TrustAUTH R5 ROOT" +"UCA Global G2 Root" +"UCA Extended Validation Root" +"vTrus ECC Root CA" +"vTrus Root CA" +"BJCA Global Root CA1" +"BJCA Global Root CA2" +"TrustAsia Global Root CA G3" +"TrustAsia Global Root CA G4" # Expired CAs ----------------------------------- But the current ebuild prevent any patch apply to work folder, because the `default` call happen after `cd "image/${EPREFIX}"`. At that time, the working folder is work/image/${EPREFIX}, and effectively prevent any patch apply to ca-certificates/mozilla. Below is the code cause this issue (with my comments mark with ###benstone): src_prepare() { ###benstone The default call should happen here cd "image/${EPREFIX}" || die if ! ${PRECOMPILED} ; then mkdir -p usr/sbin || die cp -p "${S}"/${PN}/sbin/update-ca-certificates \ usr/sbin/ || die if use cacert ; then pushd "${S}"/nss-${NSS_VER} >/dev/null || die eapply "${DISTDIR}"/nss-cacert-class1-class3-r2.patch popd >/dev/null || die fi fi ###benstone It's too late to apply patch, because the current folder is not work default eapply -p2 "${FILESDIR}"/${PN}-20150426-root.patch pushd "${S}/${PN}" >/dev/null || die # We patch out the dep on cryptography as it's not particularly useful # for us. Please see the discussion in bug #821706. Not to be removed lightly! eapply "${FILESDIR}"/${PN}-20230311.3.89-no-cryptography.patch popd >/dev/null || die local relp=$(echo "${EPREFIX}" | sed -e 's:[^/]\+:..:g') sed -i \ -e '/="$ROOT/s:ROOT:ROOT'"${EPREFIX}"':' \ -e '/RELPATH="\.\./s:"$:'"${relp}"'":' \ usr/sbin/update-ca-certificates || die }