pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/55609: curl should install or at least recommend mozilla-rootcerts

>Number:         55609
>Category:       pkg
>Synopsis:       curl should install or at least recommend mozilla-rootcerts
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 27 02:10:00 +0000 2020
>Originator:     Jan Schaumann
>Release:        NetBSD 8.0
System: NetBSD 8.0 NetBSD 8.0 (PANIX-VC) #0: Fri May 3 16:47:37 EDT 2019 amd64
Architecture: x86_64
Machine: amd64

When a user installs NetBSD 9.0 and then uses pkgin to e.g., install curl(1),
the resulting tool is not able to access https resources, because the system
appears to be missing a CA trust bundle (or, if it provides one, the pkgsrc
provided binary doesn't know how to use it).

This makes the curl(1) utility near useless for most common use cases.

While a point can be made that the user ought to decide for themselves which
CAs to trust, this is not particularly user-friendly and likely leads to one
of the following outcomes:
1) the user ignores all warnings from curl(1) and defaults to '-k'
2) the user installs 'mozilla-rootcerts' without any scrutiny and trusts all
   those CAs
3) the user grumbles "NetBSD is broken", shakes their fist, and moves on to
   another system whenever they have a chance

(1) and (3) are obviously not desirable; (2) requires the user to know to
install 'mozilla-rootcerts', but also does not reflect any sort of assessment
of which CAs to trust.

Now a user who is knowledgeable enough _and_ understands which CAs they want to
trust is rare, but such a user would likely be careful enough to customize
whatever CA bundle either the OS or the package installs.

Given the most desirable outcome, I believe the right thing to do here would be
for the curl(1) package to depend on 'mozilla-rootcerts' and in it's install
message point out to the user that they may wish to customize the trust bundle
if they know what they're doing.

(This would apply equally to other packages that require a trust bundle to
function in most scenarios.)

At a very minimum, the curl(1) package (and, again, any other similar packages)
should include in their post-install message a note that it currently does not
provide any CA bundle, that a CA bundle is required, and where to find it,
although I'd vastly prefer if the installation of the package yielded a
functioning curl(1) without further changes.


Install NetBSD 9.0.
Install pkgin.

pkgin install curl

curl -I
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.



Home | Main Index | Thread Index | Old Index