pkg/58891: `make distinfo` skips TLS verification for many fetch methods

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/58891: `make distinfo` skips TLS verification for many fetch methods
From: coypu%sdf.org@localhost
Date: Wed, 11 Dec 2024 04:20:01 +0000 (UTC)

>Number:         58891
>Category:       pkg
>Synopsis:       `make distinfo` skips TLS verification for many fetch methods
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 11 04:20:01 +0000 2024
>Originator:     coypu
>Release:        pkgsrc-current in December 2024
>Organization:
The --insecureBSD Foundation
>Environment:
NetBSD planets 10.99.11 NetBSD 10.99.11 (GENERIC) #0: Wed Jul 10 20:09:01 EDT 2024  fly@planets:/data/cvs/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
When fetching with curl, tls verification is skipped (--insecure flag is passed in fetch.mk)

FETCH_USING=curl url2pkg "https://expired.badssl.com/index.html";; echo $?

This succeeds, it shouldn't, and it doesn't if FETCH_USING=ftp (on NetBSD)

This is a problem as during `make distinfo`, no other forms of validation exist.
>How-To-Repeat:

>Fix:

Prev by Date: Re: pkg/58750 (pkgsrc/inputmethod/mozc-server fails to build)
Next by Date: Re: pkg/58892 (update of chibi-scheme to v0.11.0)
Previous by Thread: Re: pkg/58750 (pkgsrc/inputmethod/mozc-server fails to build)
Next by Thread: Re: pkg/58892 (update of chibi-scheme to v0.11.0)
Indexes:

Home | Main Index | Thread Index | Old Index