Re: Cert validation in pkg_add

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: Cert validation in pkg_add
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 19 Dec 2023 09:33:56 -0500

[I have been not dealing with NetBSD/pkgsrc due to unstable power and
having to clear downed trees due to a storm, now resolved I think, plus
other obligations, continuing.  So this is a bit briefer than usual.]

  About 3 years ago, a change that was broadly right in principle went
  in, and it had huge unintended consequences that resulted in me
  spending time I didn't have dealing with it.  I don't want to be in a
  situation where we have to choose between operating under time
  pressure or delaying the branch.  I will choose delaying if so, even
  if it means the end of January.  The whole point of the quarterly
  cadence is to reliably produce branches without brokenness.

  There is broad agreement in principle about defaulting https fetches
  for pkg_add to validate.

  There is not agreement about many of the finer points, as 1) I've
  objected to some of them and 2) it seems all the discussion is about
  the highest-level points.

  There is, at least in my head, a lack of clarity about whether we are
  changing the required version of pkg_install for pkgsrc, and if that
  is NetBSD 10 only or all platforms.

  pkgsrc is about a large number of platforms, not just NetBSD and not
  just NetBSD 10.

  Were we not near a freeze/branch, we'd be continuing to discuss, and
  not commit anything.  I am broadly not ok with operating under time
  pressure, and the standard approach in pkgsrc for changes that feel
  like pressure or that perhaps have unintended consequences is "wait
  until after the branch; this sort of thing belongs in month 1".

  We tend to only pull up build and security fixes to pkgsrc branches,
  but I don't see why varying from that is any more or less impossible
  than varying from the stability rules.  In particular, applying a
  change a week or so after branch, after we have builds that are ok,
  seems safer.

So where I land is not to land anything today, and we can hash out the
parts that are less clear, and head to a patch that people can actually
apply and test (meaning produce binaries and update other systems with
them) while not under time pressure, and I think there is no procedural
bar to applying that to pkgsrc-current and 2023Q4 in early January.  I
will likely ask that we not make changes in libfetch/pkg_add that will
be confounding to this as the freeze ends, to ease this process.

I realize some of you won't like this, but I see this as the best way to
balance all the concerns.

Follow-Ups:
- Re: Cert validation in pkg_add
  - From: Jonathan Perkin

References:
- Re: Cert validation in pkg_add
  - From: Taylor R Campbell

Prev by Date: Re: un-self-conficting python packages for non-default python
Next by Date: 2023Q4 freeze has started
Previous by Thread: Re: Cert validation in pkg_add
Next by Thread: Re: Cert validation in pkg_add
Indexes:

Home | Main Index | Thread Index | Old Index