On Tue, 23 Apr 2024 at 12:45, Greg Troxel <[email protected]> wrote: > > David Brownlee <[email protected]> writes: > > > Do you have security/mozilla-rootcerts-openssl installed? (which > > should provide a full set of certs in /etc/openssl). Alternatively > > what do you have in /etc/openssl > > > > For netbsd-10 /etc/openssl is populated by the OS, but doing that > > would be a breaking change on netbsd-9, however it may be that the > > latest pkgin is enforcing SSL certificates by default on netbsd-9 > > which would be... unhelpful in this case > > I don't see it as uhelpful -- doctrine has always been that the sysadmin > should choose which CAs to configure as trust anchors. In 10, that's > still more or less doctrine, except the default set is mozilla (or ish) > rather than the empty set. If you haven't set up trust anchors, lots of > things are troubled.
For -10, or systems which ship with trust anchors in /etc/openssl or equivalent I would agree the changed behaviour is an absolute improvement. However, while better checking of trust anchors is a better end state - assuming I am understanding the situation correctly: in an effectively unannounced change, pkgin on a -9 system without either security/mozilla-rootcerts-openssl installed or /etc/openssl will now just fail, including any attempt to install mozilla-rootcerts-openssl to resolve. This requires manual intervention to set an environment variable to allow mozilla-rootcerts-openssl to be installed, or otherwise setup /etc/openssl. That would appear to be an unhelpful change, to the extent that I would propose pkgin on netbsd < 10 might be better to default to disabling checking trust anchors (with a warning). If I have misunderstood the situation - my apologies. David
