Created attachment 208625 [details]
Currently Mk/bsd.port.mk includes this section of code:
FETCH_ENV?= SSL_NO_VERIFY_PEER=1 SSL_NO_VERIFY_HOSTNAME=1
When FETCH_ENV isn't defined, certificate verification is disabled when the target isn't makesum. However, it doesn't work as intended. 'make makesum' calls 'make fetch' internally, and 'make fetch' disables certificate verification because the target isn't makesum. Therefore, certificate verification is in fact always disabled unless the users define FETCH_ENV themselves.
To fix the problem, define FETCH_ENV when makesum is used and export it for sub-make to find it.
Using .export is probably wrong, FETCH_ENV should be passed around when it is used/needed.
Created attachment 209557 [details]
Pass FETCH_ENV via make command line instead of environment variable.
Ping! This patch fixes a regression introduced in ports r513191. It is bad for maintainers to download distfiles insecurely for almost one year.