Re: cryptic pkgin SSL cert error

[David Brownlee <abs%absd.org@localhost>]

On Tue, 23 Apr 2024 at 15:24, Martin Husemann <martin%duskware.de@localhost> wrote:
>
> On Tue, Apr 23, 2024 at 03:17:14PM +0100, David Brownlee wrote:
> > However, while better checking of trust anchors is a better end state
> > - assuming I am understanding the situation correctly: in an
> > effectively unannounced change, pkgin on a -9 system without either
> > security/mozilla-rootcerts-openssl installed or /etc/openssl will now
> > just fail, including any attempt to install mozilla-rootcerts-openssl
> > to resolve.
>
> Only if the binary pkgs repository URL was using https.
> Default setup used to be http:

Aha, thanks! - that would be the item of information I lacked :)

> > This requires manual intervention to set an environment variable to
> > allow mozilla-rootcerts-openssl to be installed, or otherwise setup
> > /etc/openssl. That would appear to be an unhelpful change, to the
> > extent that I would propose pkgin on netbsd < 10 might be better to
> > default to disabling checking trust anchors (with a warning).
>
> Edit the URL, install mozilla-rootcerts-openssl, change the URL back.

I would still classify it as unhelpful, but if it is only affecting
users who have changed their setup from the recommended, then it is
more of a "it would be good to see if there is a was to help them"
rather than an "oops!!" :-p

I also appreciate the amount of bikeshedding and general pulling at
different angles it took to get to where we are with it working well
on -10... so as long as the default & recommended pkgin install on <
netbsd-10 is for http rather than https, I'm inclined to leave well
enough alone

Thanks

David