Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp: Unsupported URL scheme `https'"

["Taylor R Campbell via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR install/60359; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: Martin Husemann <martin%duskware.de@localhost>
Cc: gnats-bugs%netbsd.org@localhost, install-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
	netbsd-bugs%netbsd.org@localhost, agc%pkgsrc.org@localhost
Subject: Re: install/60359: Sysinst, installing new 11.99.6 aarch64 vm: "ftp:
	Unsupported URL scheme `https'"
Date: Wed, 24 Jun 2026 21:52:33 +0000

 > Date: Wed, 24 Jun 2026 11:11:31 +0200
 > From: Martin Husemann <martin%duskware.de@localhost>
 >=20
 > I could imagine a ftp version compiled with -DSMALL as part of a ramdisk
 > having no https support, but for aarch64 this sounds super strange.
 > And it would be kinda tricky to auto-detect this for sysinst, so we'd have
 > to pass a -DFTP_HAS_NO_HTTPS or simmilar to the crunched sysinst build
 > for that case.
 
 Do we have any automatic tests of the path to fetch pkgsrc.tgz?  Have
 you tested and confirmed it works?
 
 It looks like, when fetching pkgsrc.tgz, sysinst runs ftp(1) _outside_
 the chroot where certctl(8) has configured trust anchors:
 
     976 static int
     977 pkgsrc_fetch(const char *set_name)
     978 {
     979 	return do_ftp_fetch(set_name, true, &pkgsrc);
     980 }
     981=20
     982 static int
     983 do_ftp_fetch(const char *set_name, bool force_tgz, struct ftpinfo *=
 f)
     984 {
 ...
    1000 	rval =3D run_program(RUN_DISPLAY | RUN_PROGRESS | RUN_XFER_DIR,
    1001 		    "/usr/bin/ftp %s%s/%s%s",
 
 https://nxr.netbsd.org/xref/src/usr.sbin/sysinst/net.c?r=3D1.45#976
 
 That ftp(1) was probably built with -DSMALL, too.
 
 In contrast, sysinst runs pkg_add(1) _inside_ the chroot where
 certctl(8) has configured trust anchors:
 
     360 		/*
     361 		 * Make sure we have the TLS certs in a usable state
     362 		 * (if target is a new installation)
     363 		 */
     364 		if (pkg.xfer =3D=3D XFER_HTTPS)
     365 			run_program(RUN_CHROOT | RUN_SILENT,
     366 			    "/bin/sh /etc/rc.d/certctl_init onestart");
     367=20
     368 		make_url(pkgpath, &pkg, pkg_dir);
     369 		if (run_program(RUN_DISPLAY | RUN_PROGRESS | RUN_CHROOT,
     370 			"pkg_add %s/pkgin", pkgpath) =3D=3D 0) {
 
 https://nxr.netbsd.org/xref/src/usr.sbin/sysinst/configmenu.c?r=3D1.23#360
 
 (I'm confused by the comment there, because it looks like for a new
 installation, sysinst already runs certctl rehash on unpacking sets:
 https://nxr.netbsd.org/xref/src/usr.sbin/sysinst/util.c?r=3D1.83#1598
 Maybe the comment is about existing installations instead of new
 installations?)