Re: fixing libfetch as a first-class object

[Greg Troxel <gdt%lexort.com@localhost>]

Jörg Sonnenberger <joerg%bec.de@localhost> writes:

> On Sunday, December 31, 2023 12:25:29 AM CET Greg Troxel wrote:
>> ftp(1) does validate https by default (disablable by env var), which
>> will mean downloads fail if no trust anchors are configured.
>
> ftp doesn't do that on NetBSD 9? Almost everything would fail otherwise.
> That's the only reason I never committed the trivial patch to libfetch to
> enable the verification - because the NetBSD crowd would cry for blood.

Sorry, I looked at 10 sources and didn't look back.

This doesn't change my view about changing libfetch in pkgsrc-current,
but it does make me less in favor of a pullup that enables validation on
other than NetBSD >= 10.

People without trust anchors configured will have to either set that up
or enable the no-verify env var.  Given that they need similar
workarounds for a number of other things, I feel like we have arrived at
it being ok to shift the burden to that, vs having everyone have
verification off.   I think that's the pretty strong consensus on this
thread.   Sounds like you are ok with that too, and just didn't feel
like it would be socially acceptable in an earlier time (and I'm not
saying you were wrong about that!).