CVS commit: [pkgsrc-2023Q4] pkgsrc

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat Jan 13 12:49:10 UTC 2024

Modified Files:
        pkgsrc/net/libfetch [pkgsrc-2023Q4]: Makefile
        pkgsrc/net/libfetch/files [pkgsrc-2023Q4]: common.c fetch.3
        pkgsrc/pkgtools/pkg_install [pkgsrc-2023Q4]: Makefile
        pkgsrc/pkgtools/pkgin [pkgsrc-2023Q4]: Makefile

Log Message:
Pullup ticket #6832 - requested by riastradh
net/libfetch: enable HTTPS cert validation on NetBSD 10
pkgtools/pkg_install, pkgtools/pkgin: revbump

(via patch)

   net/libfetch: Enable HTTPS certificate validation, but limit it to
   NetBSD>=10 for now.

   The switch has been flipped on for all platforms in pkgsrc-current
   with net/libfetch 2.40.  To avoid trouble with future updates to
   pkgsrc-2024Q1, the attached patch -- which is limited at
   compile-time to NetBSD>=10 -- bumps the version to 2.39nb3 instead,
   so that the version in pkgsrc-2024Q1 will appear newer.

   See
   https://mail-index.netbsd.org/pkgsrc-users/2023/12/31/msg038682.html
   https://mail-index.netbsd.org/tech-pkg/2023/12/09/msg028590.html
   for discussion.  (A future pullup might rip off the NetBSD>=10
   bandaid, but I'd like to get this part in ASAP.)


To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.64.2.1 pkgsrc/net/libfetch/Makefile
cvs rdiff -u -r1.31 -r1.31.58.1 pkgsrc/net/libfetch/files/common.c
cvs rdiff -u -r1.17 -r1.17.62.1 pkgsrc/net/libfetch/files/fetch.3
cvs rdiff -u -r1.237 -r1.237.2.1 pkgsrc/pkgtools/pkg_install/Makefile
cvs rdiff -u -r1.128 -r1.128.2.1 pkgsrc/pkgtools/pkgin/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/libfetch/Makefile
diff -u pkgsrc/net/libfetch/Makefile:1.64 pkgsrc/net/libfetch/Makefile:1.64.2.1
--- pkgsrc/net/libfetch/Makefile:1.64   Tue Oct 24 22:10:22 2023
+++ pkgsrc/net/libfetch/Makefile        Sat Jan 13 12:49:09 2024
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.64 2023/10/24 22:10:22 wiz Exp $
+# $NetBSD: Makefile,v 1.64.2.1 2024/01/13 12:49:09 bsiegert Exp $
 
 DISTNAME=      libfetch-2.39
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    net
 MASTER_SITES=  # empty
 DISTFILES=     # empty

Index: pkgsrc/net/libfetch/files/common.c
diff -u pkgsrc/net/libfetch/files/common.c:1.31 pkgsrc/net/libfetch/files/common.c:1.31.58.1
--- pkgsrc/net/libfetch/files/common.c:1.31     Thu Oct 20 21:25:57 2016
+++ pkgsrc/net/libfetch/files/common.c  Sat Jan 13 12:49:09 2024
@@ -1,4 +1,4 @@
-/*     $NetBSD: common.c,v 1.31 2016/10/20 21:25:57 joerg Exp $        */
+/*     $NetBSD: common.c,v 1.31.58.1 2024/01/13 12:49:09 bsiegert Exp $        */
 /*-
  * Copyright (c) 1998-2004 Dag-Erling Co�dan Sm�rgrav
  * Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg%NetBSD.org@localhost>
@@ -37,6 +37,10 @@
 #include <nbcompat.h>
 #endif
 
+#ifdef __NetBSD__
+#include <sys/param.h>         /* __NetBSD_Version__ */
+#endif
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/time.h>
@@ -451,6 +455,12 @@ fetch_ssl(conn_t *conn, const struct url
        conn->ssl_meth = SSLv23_client_method();
        conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
        SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
+#if defined(__NetBSD__) && __NetBSD_Version__ >= 1000000000
+       if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
+               SSL_CTX_set_default_verify_paths(conn->ssl_ctx);
+               SSL_CTX_set_verify(conn->ssl_ctx, SSL_VERIFY_PEER, NULL);
+       }
+#endif
 
        conn->ssl = SSL_new(conn->ssl_ctx);
        if (conn->ssl == NULL){

Index: pkgsrc/net/libfetch/files/fetch.3
diff -u pkgsrc/net/libfetch/files/fetch.3:1.17 pkgsrc/net/libfetch/files/fetch.3:1.17.62.1
--- pkgsrc/net/libfetch/files/fetch.3:1.17      Tue May 31 18:02:36 2016
+++ pkgsrc/net/libfetch/files/fetch.3   Sat Jan 13 12:49:09 2024
@@ -25,9 +25,9 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD: fetch.3,v 1.64 2007/12/18 11:03:26 des Exp $
-.\" $NetBSD: fetch.3,v 1.17 2016/05/31 18:02:36 abhinav Exp $
+.\" $NetBSD: fetch.3,v 1.17.62.1 2024/01/13 12:49:09 bsiegert Exp $
 .\"
-.Dd January 22, 2010
+.Dd December 22, 2023
 .Dt FETCH 3
 .Os
 .Sh NAME
@@ -638,6 +638,10 @@ which proxies should not be used.
 Same as
 .Ev NO_PROXY ,
 for compatibility.
+.It Ev SSL_NO_VERIFY_PEER
+If defined,
+.Nm
+will skip validating certificates when fetching HTTPS URLs.
 .El
 .Sh EXAMPLES
 To access a proxy server on

Index: pkgsrc/pkgtools/pkg_install/Makefile
diff -u pkgsrc/pkgtools/pkg_install/Makefile:1.237 pkgsrc/pkgtools/pkg_install/Makefile:1.237.2.1
--- pkgsrc/pkgtools/pkg_install/Makefile:1.237  Tue Oct 24 22:10:40 2023
+++ pkgsrc/pkgtools/pkg_install/Makefile        Sat Jan 13 12:49:09 2024
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.237 2023/10/24 22:10:40 wiz Exp $
+# $NetBSD: Makefile,v 1.237.2.1 2024/01/13 12:49:09 bsiegert Exp $
 
 # Notes to package maintainers:
 #
@@ -7,7 +7,7 @@
 # change in the pkg_* tools that pkgsrc relies on for proper operation.
 
 PKGNAME=               pkg_install-${VERSION}
-PKGREVISION=           1
+PKGREVISION=           2
 CATEGORIES=            pkgtools
 
 MAINTAINER=            agc%NetBSD.org@localhost

Index: pkgsrc/pkgtools/pkgin/Makefile
diff -u pkgsrc/pkgtools/pkgin/Makefile:1.128 pkgsrc/pkgtools/pkgin/Makefile:1.128.2.1
--- pkgsrc/pkgtools/pkgin/Makefile:1.128        Wed Nov  8 13:20:39 2023
+++ pkgsrc/pkgtools/pkgin/Makefile      Sat Jan 13 12:49:09 2024
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.128 2023/11/08 13:20:39 wiz Exp $
+# $NetBSD: Makefile,v 1.128.2.1 2024/01/13 12:49:09 bsiegert Exp $
 
 DISTNAME=              pkgin-23.8.1
-PKGREVISION=           2
+PKGREVISION=           3
 CATEGORIES=            pkgtools
 MASTER_SITES=          ${MASTER_SITE_GITHUB:=NetBSDfr/}
 GITHUB_TAG=            v${PKGVERSION_NOREV}