Hi,
That said: I just spent nearly all my spare time of the last month designing, implementing, testing, and arguing for a careful change for both pkgsrc-2023Q4 and netbsd-10 to provide this security contract with a bypass switch, with minimal risk of breakage in library callers and in existing pkg_add and pkgin configurations, and I've lost interest in working any more on this for now -- so if you want a different patch from the ones I already posted, someone else will have to draft and test it.
I've read Taylor's carefully considered suggestions and patches, and I can't see where they'd be problematic. We've had much more disruptive changes that we've all been asked to simply accept rather than taking a more reasoned approach, yet here we're seemingly worried about edge cases that I just can't see are more important than the goal of having an expected trust mechanism in place.
Please let me know if any part of my summary is incorrect:NetBSD < 10 ignores the lack of certificates, which is neither a good default, even if we want to avoid changing things, nor does it make sense, as in that behavior defies common sense.
NetBSD >= 10 fails if certificates aren't installed. This matches the principle of least astonishment and is a good default. Even if people accustomed to NetBSD pre-10 might be surprised should they update yet not address their lack of certificates, it'd be foolish to avoid this change because we're worried about these few people who upgrade without fixing certs.
That said, I think we're all in agreement that pkgsrc / libfetch / pkg_add / pkgin should validate https.
I think there's some disagreement about whether https should be allowed to downgrade to http. I can see how one can argue that the it should, since we supposedly trust the https server, but I can also see why people wouldn't want that. That seems like something that might end up being a flag people can set.
When it comes to http redirecting to https, the question arises whether this should fail if certificates aren't installed. Personally, I think it should fail, but I can just as easily see why, if we're in the business of avoiding unexpected changes, pkg_add and friends should proceed even without certificates. Again, this could be a flag.
So if we agree that https->http downgrading is a flag that defaults to fail and http->https upgrading is a flag that defaults to validate, then what else is there that's keeping this from being added?
Just like in our very long threads in port-vax@, perhaps I've missed some things, but is this a fair summary?
John