commit 625c83c97f21ca7f19e430bc35a05a666c8824bf
from: Stefan Sperling <stsp@stsp.name>
date: Wed Apr 17 17:23:51 2024 UTC

can drop "rpath" pledge in got-fetch-http if plaintext HTTP is being used

commit - c2a5e1d857119735fd39b8360f688083e6361e8b
commit + 625c83c97f21ca7f19e430bc35a05a666c8824bf
blob - 4ac28d9fb06153bf6428008b8a6b9a556517e6ef
blob + f1cf123c468f636b6b2290fd62ca8e6b179ab5ac
--- libexec/got-fetch-http/got-fetch-http.c
+++ libexec/got-fetch-http/got-fetch-http.c
@@ -556,7 +556,13 @@ main(int argc, char **argv)
 		usage();
 
 	https = strcmp(argv[0], "https") == 0;
-
+#ifndef PROFILE
+	if (!https) {
+		/* drop "rpath" */
+		if (pledge("stdio inet dns", NULL) == -1)
+			err(1, "pledge");
+	}
+#endif
 	host = argv[1];
 	port = argv[2];
 	path = argv[3];