Re: Broken: time/php-framadate in pkgsrc-current on NetBSD 9.0/x86_64

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Mon, 17 Mar 2025 07:07:06 +0000
> From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
> 
> On Mon, Mar 17, 2025 at 01:45:52AM +0000, Taylor R Campbell wrote:
> > http://www.ki.nu/pkgsrc/reports/current/NetBSD-9.0/20250312.1636/php82-framadate-1.1.19nb2/configure.log
> > http://www.ki.nu/pkgsrc/reports/current/NetBSD-9.0/20250312.1636/php83-framadate-1.1.19nb2/configure.log
> 
> Both logs says:
>   fatal: unable to access 'https://framagit.org/framasoft/framadate/o80-i18n/': SSL certificate problem: unable to get local issuer certificate
> 
> This happens because git does not have root certificates configured. 
> I could add 
> BUILD_DEPENDS+= mozilla-rootcerts-[0-9]*:../../mozilla-rootcerts
> 
> and run this before using git:
> git config --global sslCAinfo ${PREFIX/share/mozilla-rootcerts/cacert.pem
> 
> But I suspect this deserves a pkgsrc-wide fix. This package is not alone 
> running git, is it?

No, it is absolutely forbidden for the build to talk to the network.
All distfiles must be obtained during the fetch phase; any phases
after that must not use the network.

(BUILD_DEPENDS would also be wrong (you mean TOOL_DEPENDS instead
here), and explicit dependencies on mozilla-rootcerts are always wrong
because they do not reflect the system-configured trust store.  But in
this case it is correct for TLS validation to fail as a diagnostic
measure because the bulk build doesn't have technical measures to
completely prevent network access after the fetch phase.)