Re: cryptic pkgin SSL cert error

[David Brownlee <abs%absd.org@localhost>]

On Tue, 23 Apr 2024 at 12:45, Greg Troxel <gdt%lexort.com@localhost> wrote:
>
> David Brownlee <abs%absd.org@localhost> writes:
>
> > Do you have security/mozilla-rootcerts-openssl installed? (which
> > should provide a full set of certs in /etc/openssl). Alternatively
> > what do you have in /etc/openssl
> >
> > For netbsd-10 /etc/openssl is populated by the OS, but doing that
> > would be a breaking change on netbsd-9, however it may be that the
> > latest pkgin is enforcing SSL certificates by default on netbsd-9
> > which would be... unhelpful in this case
>
> I don't see it as uhelpful -- doctrine has always been that the sysadmin
> should choose which CAs to configure as trust anchors.  In 10, that's
> still more or less doctrine, except the default set is mozilla (or ish)
> rather than the empty set.  If you haven't set up trust anchors, lots of
> things are troubled.

For -10, or systems which ship with trust anchors in /etc/openssl or
equivalent I would agree the changed behaviour is an absolute
improvement.

However, while better checking of trust anchors is a better end state
- assuming I am understanding the situation correctly: in an
effectively unannounced change, pkgin on a -9 system without either
security/mozilla-rootcerts-openssl installed or /etc/openssl will now
just fail, including any attempt to install mozilla-rootcerts-openssl
to resolve.
This requires manual intervention to set an environment variable to
allow mozilla-rootcerts-openssl to be installed, or otherwise setup
/etc/openssl. That would appear to be an unhelpful change, to the
extent that I would propose pkgin on netbsd < 10 might be better to
default to disabling checking trust anchors (with a warning).

If I have misunderstood the situation - my apologies.

David