Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp: Unsupported URL scheme `https'"

To: Martin Husemann <martin%duskware.de@localhost>
Subject: Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp: Unsupported URL scheme `https'"
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Wed, 24 Jun 2026 21:52:33 +0000

> Date: Wed, 24 Jun 2026 11:11:31 +0200
> From: Martin Husemann <martin%duskware.de@localhost>
> 
> I could imagine a ftp version compiled with -DSMALL as part of a ramdisk
> having no https support, but for aarch64 this sounds super strange.
> And it would be kinda tricky to auto-detect this for sysinst, so we'd have
> to pass a -DFTP_HAS_NO_HTTPS or simmilar to the crunched sysinst build
> for that case.

Do we have any automatic tests of the path to fetch pkgsrc.tgz?  Have
you tested and confirmed it works?

It looks like, when fetching pkgsrc.tgz, sysinst runs ftp(1) _outside_
the chroot where certctl(8) has configured trust anchors:

    976 static int
    977 pkgsrc_fetch(const char *set_name)
    978 {
    979 	return do_ftp_fetch(set_name, true, &pkgsrc);
    980 }
    981 
    982 static int
    983 do_ftp_fetch(const char *set_name, bool force_tgz, struct ftpinfo *f)
    984 {
...
   1000 	rval = run_program(RUN_DISPLAY | RUN_PROGRESS | RUN_XFER_DIR,
   1001 		    "/usr/bin/ftp %s%s/%s%s",

https://nxr.netbsd.org/xref/src/usr.sbin/sysinst/net.c?r=1.45#976

That ftp(1) was probably built with -DSMALL, too.

In contrast, sysinst runs pkg_add(1) _inside_ the chroot where
certctl(8) has configured trust anchors:

    360 		/*
    361 		 * Make sure we have the TLS certs in a usable state
    362 		 * (if target is a new installation)
    363 		 */
    364 		if (pkg.xfer == XFER_HTTPS)
    365 			run_program(RUN_CHROOT | RUN_SILENT,
    366 			    "/bin/sh /etc/rc.d/certctl_init onestart");
    367 
    368 		make_url(pkgpath, &pkg, pkg_dir);
    369 		if (run_program(RUN_DISPLAY | RUN_PROGRESS | RUN_CHROOT,
    370 			"pkg_add %s/pkgin", pkgpath) == 0) {

https://nxr.netbsd.org/xref/src/usr.sbin/sysinst/configmenu.c?r=1.23#360

(I'm confused by the comment there, because it looks like for a new
installation, sysinst already runs certctl rehash on unpacking sets:
https://nxr.netbsd.org/xref/src/usr.sbin/sysinst/util.c?r=1.83#1598
Maybe the comment is about existing installations instead of new
installations?)

References:
- Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp: Unsupported URL scheme `https'"
  - From: Martin Husemann via gnats

Prev by Date: Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp: Unsupported URL scheme `https'"
Next by Date: Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp: Unsupported URL scheme `https'"
Previous by Thread: Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp: Unsupported URL scheme `https'"
Next by Thread: Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp: Unsupported URL scheme `https'"
Indexes:

Home | Main Index | Thread Index | Old Index