Architecture neutral packages (mozilla-rootcerts-openssl)

To: "tech-pkg%NetBSD.org@localhost" <tech-pkg%netbsd.org@localhost>
Subject: Architecture neutral packages (mozilla-rootcerts-openssl)
From: David Brownlee <abs%absd.org@localhost>
Date: Wed, 2 Aug 2023 10:29:20 +0100

How much work would it be to allow for architecture neutral packages?

I ask because of PR-57456 -
http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=57456

By default NetBSD-10 (like earlier NetBSD releases) does not populate
/etc/openssl/certs

This impacts the base system ftp - which cannot make requests to
https:// URLs by default, and pretty much any openssl using package -
for example installing mercurial from pkgsrc:

% hg clone https://anonhg.netbsd.org/src
(an attempt was made to load CA certificates but none were loaded; see
https://mercurial-scm.org/wiki/SecureConnections for how to configure
Mercurial to avoid this error) abort: error: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get
local issuer certificate (_ssl.c:997)

Adding certificates to the system is not that difficult, the key point
is to provide a mechanism to ensure they can be updated.

Two alternative options could be to:
a) provide the mozilla-certs.tgz pseudo-set as mentioned in the PR,
plus update the versions on the server regularly, then find some way
to get users to update
b) implement architecture neutral packages (primarily for
mozilla-rootcerts & mozilla-rootcerts-openssl in this case), and
default the install process to installing them - this also allows
users to update them with other packages (and to use pkgin as the
recommended method to keep the certificates up to date)

Note that certificates available to sysinst is a different issue and
we currently have a workaround.

(I'm using "all-arch" as a placeholder magic token below, I'm assuming
it would be named differently)

On the build side is it more than:
- Updating the tools to understand a magic token to mean "all-arch"
- Adding a new option to set in Makefiles (and matching mk logic) to
note a package as "all-arch" and pass the relevant flags to pkg_create

As for managing them, one of:
a) Put an extra copy at build time into ./all-arch, and symlink games
on upload to ftp.netbsd.org?
b) Add a post upload tool on ftp.netbsd.org which finds the all-arch
packages and copies them to ../../all-arch/$(uname -r)ish/
plus teaching pkgin (and pkg_install?) to use the extra URL as fallback

Thanks

David

Follow-Ups:
- Re: Architecture neutral packages (mozilla-rootcerts-openssl)
  - From: Greg Troxel

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: Architecture neutral packages (mozilla-rootcerts-openssl)
Previous by Thread: FORCE_C_STD and FORCE_CXX_STD
Next by Thread: Re: Architecture neutral packages (mozilla-rootcerts-openssl)
Indexes:

Home | Main Index | Thread Index | Old Index