Proposal: validate TLS when fetching

[coypu%sdf.org@localhost]

Hi all,

currently we pass --insecure to curl when it's a fetch method, also we
try to do that for other fetch methods.
This makes me feel uncomfortable because it also happens during `make
distinfo`, where there's no checksum validation.
(I created PR 58891 for this).

it looks like this was first introduced when a popular package had a TLS
error, and while that may happen again, I think `make upload-distfiles`
might be a good enough approach.

as for testing pkgsrc with TLS validation - we accidentally do this
already*, and it looks like there are no packages failing with TLS
errors at fetch phase**.

Any objections to a patch like the following?

===================================================================
RCS file: /cvsroot/pkgsrc/mk/fetch/fetch.mk,v
retrieving revision 1.79
diff -u -r1.79 fetch.mk
--- fetch/fetch.mk	22 Oct 2024 06:29:21 -0000	1.79
+++ fetch/fetch.mk	13 Dec 2024 03:25:34 -0000
@@ -267,7 +267,6 @@
 				${TOOLS_PATH.fetch}

 _FETCH_BEFORE_ARGS.wget=	${PASSIVE_FETCH:D--passive-ftp} \
-				--no-check-certificate \
 				${FETCH_TIMEOUT:D--timeout=${FETCH_TIMEOUT}} \
 				${FETCH_USE_IPV4_ONLY:D--inet4-only}
 _FETCH_AFTER_ARGS.wget=		# empty
@@ -289,7 +288,7 @@
 # Generic FETCH_PROXY is passed via the --proxy argument to support
 # other protocols like socks4/socks5.
 _FETCH_BEFORE_ARGS.curl=	${PASSIVE_FETCH:D--ftp-pasv} \
-				--fail --insecure --location --remote-time \
+				--fail --location --remote-time \
 				${FETCH_TIMEOUT:D--connect-timeout ${FETCH_TIMEOUT}} \
 				${FETCH_TIMEOUT:D--speed-time ${FETCH_TIMEOUT}} \
 				${FETCH_PROXY:D--proxy ${FETCH_PROXY:Q}} \


Thanks



* netbsd ftp(1) only recently grew the ability to validate TLS, and so
pkgsrc hasn't disabled it. The bulk builds look clean for NetBSD 10
which has this.

** a couple are failing with blake2b errors, though.