On Tue, 23 Apr 2024 at 15:24, Martin Husemann <mar...@duskware.de> wrote: > > On Tue, Apr 23, 2024 at 03:17:14PM +0100, David Brownlee wrote: > > However, while better checking of trust anchors is a better end state > > - assuming I am understanding the situation correctly: in an > > effectively unannounced change, pkgin on a -9 system without either > > security/mozilla-rootcerts-openssl installed or /etc/openssl will now > > just fail, including any attempt to install mozilla-rootcerts-openssl > > to resolve. > > Only if the binary pkgs repository URL was using https. > Default setup used to be http:
Aha, thanks! - that would be the item of information I lacked :) > > This requires manual intervention to set an environment variable to > > allow mozilla-rootcerts-openssl to be installed, or otherwise setup > > /etc/openssl. That would appear to be an unhelpful change, to the > > extent that I would propose pkgin on netbsd < 10 might be better to > > default to disabling checking trust anchors (with a warning). > > Edit the URL, install mozilla-rootcerts-openssl, change the URL back. I would still classify it as unhelpful, but if it is only affecting users who have changed their setup from the recommended, then it is more of a "it would be good to see if there is a was to help them" rather than an "oops!!" :-p I also appreciate the amount of bikeshedding and general pulling at different angles it took to get to where we are with it working well on -10... so as long as the default & recommended pkgin install on < netbsd-10 is for http rather than https, I'm inclined to leave well enough alone Thanks David