NetBSD Problem Report #55609
From jschauma@netmeister.org Thu Aug 27 02:07:53 2020
Return-Path: <jschauma@netmeister.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 828F01A923A
for <gnats-bugs@gnats.NetBSD.org>; Thu, 27 Aug 2020 02:07:53 +0000 (UTC)
Message-Id: <20200827020750.278E585898@panix.netmeister.org>
Date: Wed, 26 Aug 2020 22:07:50 -0400 (EDT)
From: jschauma@netmeister.org
Reply-To: jschauma@netmeister.org
To: gnats-bugs@NetBSD.org
Subject: curl should install or at least recommend mozilla-rootcerts
X-Send-Pr-Version: 3.95
>Number: 55609
>Category: pkg
>Synopsis: curl should install or at least recommend mozilla-rootcerts
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Aug 27 02:10:00 +0000 2020
>Originator: Jan Schaumann
>Release: NetBSD 8.0
>Organization:
>Environment:
System: NetBSD panix.netmeister.org 8.0 NetBSD 8.0 (PANIX-VC) #0: Fri May 3 16:47:37 EDT 2019 root@juggler.panix.com:/misc/obj64/misc/devel/netbsd/8.0/src/sys/arch/amd64/compile/PANIX-VC amd64
Architecture: x86_64
Machine: amd64
>Description:
When a user installs NetBSD 9.0 and then uses pkgin to e.g., install curl(1),
the resulting tool is not able to access https resources, because the system
appears to be missing a CA trust bundle (or, if it provides one, the pkgsrc
provided binary doesn't know how to use it).
This makes the curl(1) utility near useless for most common use cases.
While a point can be made that the user ought to decide for themselves which
CAs to trust, this is not particularly user-friendly and likely leads to one
of the following outcomes:
1) the user ignores all warnings from curl(1) and defaults to '-k'
2) the user installs 'mozilla-rootcerts' without any scrutiny and trusts all
those CAs
3) the user grumbles "NetBSD is broken", shakes their fist, and moves on to
another system whenever they have a chance
(1) and (3) are obviously not desirable; (2) requires the user to know to
install 'mozilla-rootcerts', but also does not reflect any sort of assessment
of which CAs to trust.
Now a user who is knowledgeable enough _and_ understands which CAs they want to
trust is rare, but such a user would likely be careful enough to customize
whatever CA bundle either the OS or the package installs.
Given the most desirable outcome, I believe the right thing to do here would be
for the curl(1) package to depend on 'mozilla-rootcerts' and in it's install
message point out to the user that they may wish to customize the trust bundle
if they know what they're doing.
(This would apply equally to other packages that require a trust bundle to
function in most scenarios.)
At a very minimum, the curl(1) package (and, again, any other similar packages)
should include in their post-install message a note that it currently does not
provide any CA bundle, that a CA bundle is required, and where to find it,
although I'd vastly prefer if the installation of the package yielded a
functioning curl(1) without further changes.
>How-To-Repeat:
Install NetBSD 9.0.
Install pkgin.
pkgin install curl
curl -I https://www.netbsd.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
>Fix:
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home