Re: Enabling SSL in pkg_install

[Jason Bacon <bacon4000%gmail.com@localhost>]

On 01/27/18 08:57, Jason Bacon wrote:
> On 01/25/18 16:47, Jonathan Perkin wrote:
> > * On 2018-01-25 at 21:58 GMT, Jason Bacon wrote:
> >
> > > I'd like to use https with pkgin but...
> > >
> > > [root@unixdev2 bacon]# pkgin avail
> > > reading local summary...
> > > processing local summary...
> > > SSL support disabled
> > > SSL support disabled
> > > SSL support disabled
> > > pkgin: Could not fetch
> > > https://mirror1.hpc.uwm.edu/pkgsrc/packages/usr/pkg/RHEL7/All/pkg_summary.gz 
> > >
> > >
> > > The problem appears to be in pkg_install.  What's the canonical way to
> > > enable SSL during bootstrap?
> > >
> > > Just add openssl to PKG_DEFAULT_OPTIONS or PKG_OPTIONS.libfetch?
> > You can't do it during bootstrap if you use openssl from pkgsrc as
> > bootstrap doesn't support building security/openssl, but you can
> > rebuild pkg_install afterwards with the ssl option enabled and then
> > use that package in your bootstrap kit, which is what we do.
> >
> > I also use
> >
> > https://github.com/joyent/pkgsrc/commit/98f279b475e9f1850cea14df4fe80af92cee2ec0
> >
> > which, yes, is a hack, but there are too many corner cases where
> > linking pkg_install against pkgsrc openssl will screw you (think
> > through what happens when you upgrade openssl...)
> I'm thinking one would have to deliberately override dependency checks 
> in order to upgrade pkgsrc openssl without rebuilding its dependents, 
> correct?
>
> On another note, it seems that building libfetch with openssl support 
> is sufficient to enable SSL in pkg_install, but pkgin needs to be 
> rebuilt as well.  I've been using the attached script to retrofit my 
> old trees with SSL support.  I did not intend to enable SSL in 
> pkg_install, but serendipitously discovered that it works after 
> applying this fix.
FYI:

auto-pkgsrc-setup now enables SSL in pkg_add/pkgin by rebuilding 
libfetch and pkgin post-bootstrap.

    https://netbsd.org/~bacon/

Also see pkgsrc-enable-ssl at the above link to retrofit preexisting 
pkgsrc trees with SSL support.  It's tested on trees created by 
auto-pkgsrc-setup.  No guarantees on trees installed by other means.

--
Earth is a beta site.