pkgin from 8.0/amd64 -> "SSL support disabled"?

To: pkgsrc-users%NetBSD.org@localhost
Subject: pkgin from 8.0/amd64 -> "SSL support disabled"?
From: Havard Eidnes <he%NetBSD.org@localhost>
Date: Wed, 12 Aug 2020 12:50:30 +0200 (CEST)

Hi,

I just upgraded one of my systems using "pkgin -y fug", using the
NetBSD-built packages for 8.0/amd64, via

  https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/All

This is on a host running 9.0 (packages for 9.0 were not
available at the time...)

So after the upgrade I changed repositories.conf to

  https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/9.0/All

and did "pkgin up", and was met with

   processing remote summary (https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/All)...
   SSL support disabled
   SSL support disabled
   SSL support disabled
   pkgin: Could not fetch https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/All/pkg_summary.gz

Digging around with some hints from fellow developers reveals that
this message comes from libfetch, and its common.c shows that this
message appears if the program isn't built with WITH_SSL.  Libfetch is
linked statically into pkgin, by the looks of it.

libfetch's options.mk has

PKG_SUPPORTED_OPTIONS=  inet6 openssl
PKG_SUGGESTED_OPTIONS=  inet6

and apparently some code to use the builtin OpenSSL via

CHECK_BUILTIN.openssl:= yes
.include "../../security/openssl/builtin.mk"
CHECK_BUILTIN.openssl:= no

.if !empty(USE_BUILTIN.openssl:M[yY][eE][sS])
PKG_SUGGESTED_OPTIONS+= openssl
.endif

However, it appears that the package you get of pkgin if you
update via

  https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.0/All

you end up with a pkgin which is built with a libfetch which is *not*
build with the openssl option.  How that happened I have no further
insight into, I'm afraid.

Thus, if you rely on using "pkgin" and have a strong preference for
fetching the packages using https, you will find yourself at a dead
end (which is pretty terrible).

To recover from this, you will need to rebuild and re-install libfetch
using pksrc, and then rebuild and re-install pkgin.  In libfetch you
can do "make show-var VARNAME=PKG_SUGGESTED_OPTIONS" to make sure
"openssl" is among the suggested options.

Regards,

- Håvard

Follow-Ups:
- Re: pkgin from 8.0/amd64 -> "SSL support disabled"?
  - From: Mike Pumford

Prev by Date: Re: fonts/harfbuzz build failure, cc1plus: some warnings being treated as errors
Next by Date: Re: pkgin from 8.0/amd64 -> "SSL support disabled"?
Previous by Thread: fonts/harfbuzz build failure, cc1plus: some warnings being treated as errors
Next by Thread: Re: pkgin from 8.0/amd64 -> "SSL support disabled"?
Indexes:

Home | Main Index | Thread Index | Old Index