Re: bin/57456: ftp fails for https in netbsd-10 due to missing certificates

[mlelstv%serpens.de@localhost (Michael van Elst)]

The following reply was made to PR bin/57456; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/57456: ftp fails for https in netbsd-10 due to missing certificates
Date: Thu, 8 Jun 2023 17:22:16 -0000 (UTC)

 martin%duskware.de@localhost (Martin Husemann) writes:
 
 >The following reply was made to PR bin/57456; it has been noted by GNATS.
 
 >From: Martin Husemann <martin%duskware.de@localhost>
 >To: gnats-bugs%netbsd.org@localhost
 >Cc: 
 >Subject: Re: bin/57456: ftp fails for https in netbsd-10 due to missing
 > certificates
 >Date: Thu, 8 Jun 2023 13:56:20 +0200
 
 > On Thu, Jun 08, 2023 at 11:45:02AM +0000, Michael van Elst wrote:
 > >  You may install the cert package of your choice and update
 > >  as necessary to track changes. I also suggest to make this
 > >  part of the sysinst process (after seeding the random generator
 > >  where necessary).
 > 
 > That is too late.
 
 > So some sets of certificates *must* be bundled with the installers
 > or that feature in ftp(1) needs to be turned off by default again.
 
 Wouldn't that be even "later" ?
 
 If you want to download from an unproven source, the installer can
 tell ftp to do that without changing defaults.
 
 If you want more trust, you could sign the sets (and deliver a cert
 with the installer for validation). This also works for other kinds
 of downloads.