CVS commit: pkgsrc/mk/fetch

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mk/fetch
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Thu, 26 Dec 2024 20:23:07 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Thu Dec 26 20:23:07 UTC 2024

Modified Files:
        pkgsrc/mk/fetch: fetch.mk

Log Message:
Validate TLS when fetching.

This is not a security issue for users of pkgsrc as any downloaded files
are checked against a checksum, but it is for developers are updating a
package and generating the checksum for the first time.

We know this is a safe change to make as some bulk builds are already
running with TLS verification (e.g. the default fetch method on NetBSD 10
validates TLS, and there aren't issues shown by bulk builds).

If an upstream has TLS errors, we can work around it using
`make upload-distfiles`, which will upload it to our local distfile mirror,
and is a default fallback.

PR pkg/58891


To generate a diff of this commit:
cvs rdiff -u -r1.79 -r1.80 pkgsrc/mk/fetch/fetch.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mk/fetch/fetch.mk
diff -u pkgsrc/mk/fetch/fetch.mk:1.79 pkgsrc/mk/fetch/fetch.mk:1.80
--- pkgsrc/mk/fetch/fetch.mk:1.79       Tue Oct 22 06:29:21 2024
+++ pkgsrc/mk/fetch/fetch.mk    Thu Dec 26 20:23:07 2024
@@ -1,4 +1,4 @@
-# $NetBSD: fetch.mk,v 1.79 2024/10/22 06:29:21 jperkin Exp $
+# $NetBSD: fetch.mk,v 1.80 2024/12/26 20:23:07 maya Exp $
 
 .if empty(INTERACTIVE_STAGE:Mfetch) && empty(FETCH_MESSAGE:U)
 _MASTER_SITE_BACKUP=   ${MASTER_SITE_BACKUP:=${DIST_SUBDIR}${DIST_SUBDIR:D/}}
@@ -219,6 +219,9 @@ fetch-check-interactive: .USEBEFORE
 #      to try to resume interrupted file transfers to avoid downloading
 #      the whole file.  The default is set in pkgsrc/mk/defaults/mk.conf.
 #
+# FETCH_INSECURE, if defined, will cause the fetch command to not validate
+#      TLS certificates.
+#
 # FETCH_TIMEOUT, if defined, will cause the fetch command to quit on stalled
 #      connections after the given amount of seconds.
 #       The specific behavior depends on the command used.
@@ -267,7 +270,7 @@ _FETCH_CMD.fetch=           ${PKGSRC_SETENV} \
                                ${TOOLS_PATH.fetch}
 
 _FETCH_BEFORE_ARGS.wget=       ${PASSIVE_FETCH:D--passive-ftp} \
-                               --no-check-certificate \
+                               ${FETCH_INSECURE:D--no-check-certificate} \
                                ${FETCH_TIMEOUT:D--timeout=${FETCH_TIMEOUT}} \
                                ${FETCH_USE_IPV4_ONLY:D--inet4-only}
 _FETCH_AFTER_ARGS.wget=                # empty
@@ -289,7 +292,8 @@ _FETCH_CMD.ofhttp=          ${PKGSRC_SETENV} ofh
 # Generic FETCH_PROXY is passed via the --proxy argument to support
 # other protocols like socks4/socks5.
 _FETCH_BEFORE_ARGS.curl=       ${PASSIVE_FETCH:D--ftp-pasv} \
-                               --fail --insecure --location --remote-time \
+                               --fail --location --remote-time \
+                               ${FETCH_INSECURE:D--insecure} \
                                ${FETCH_TIMEOUT:D--connect-timeout ${FETCH_TIMEOUT}} \
                                ${FETCH_TIMEOUT:D--speed-time ${FETCH_TIMEOUT}} \
                                ${FETCH_PROXY:D--proxy ${FETCH_PROXY:Q}} \

Prev by Date: CVS commit: pkgsrc/x11/pixman
Next by Date: CVS commit: pkgsrc/devel/py-Pympler
Previous by Thread: CVS commit: pkgsrc/x11/pixman
Next by Thread: CVS commit: pkgsrc/devel/py-Pympler
Indexes:

Home | Main Index | Thread Index | Old Index