<pre style='margin:0'>
Ryan Schmidt (ryandesign) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/d8986b24bac94f22a60bfdd3e5d815d6a68c7a05">https://github.com/macports/macports-ports/commit/d8986b24bac94f22a60bfdd3e5d815d6a68c7a05</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new d8986b24bac Limit OS versions that use Let's Encrypt sites
</span>d8986b24bac is described below
<span style='display:block; white-space:pre;color:#808000;'>commit d8986b24bac94f22a60bfdd3e5d815d6a68c7a05
</span>Author: Ryan Schmidt <ryandesign@macports.org>
AuthorDate: Tue Oct 5 21:41:39 2021 -0500
<span style='display:block; white-space:pre;color:#404040;'> Limit OS versions that use Let's Encrypt sites
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Only use https to access our distfiles and packages server on OS
</span><span style='display:block; white-space:pre;color:#404040;'> versions where the bundled libcurl is still compatible with Let's
</span><span style='display:block; white-space:pre;color:#404040;'> Encrypt, following the recent expiration of DST Root CA X3.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Users might have added the new ISRG Root X1 to their keychain, or they
</span><span style='display:block; white-space:pre;color:#404040;'> might have specified to always trust DST Root CA X3 even though it is
</span><span style='display:block; white-space:pre;color:#404040;'> expired, or they might have compiled MacPorts with a newer libcurl, but
</span><span style='display:block; white-space:pre;color:#404040;'> these defaults will ensure MacPorts can still access our servers even on
</span><span style='display:block; white-space:pre;color:#404040;'> computers where the user has not done any of that.
</span>---
_resources/port1.0/fetch/archive_sites.tcl | 33 ++++++++++++++++--------------
_resources/port1.0/fetch/mirror_sites.tcl | 33 ++++++++++++++++--------------
2 files changed, 36 insertions(+), 30 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/_resources/port1.0/fetch/archive_sites.tcl b/_resources/port1.0/fetch/archive_sites.tcl
</span><span style='display:block; white-space:pre;color:#808080;'>index 14a1a9faadd..4ac62a9684b 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/_resources/port1.0/fetch/archive_sites.tcl
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/_resources/port1.0/fetch/archive_sites.tcl
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3,34 +3,37 @@ namespace eval portfetch::mirror_sites { }
</span> # Keep these in sync between archive_sites.tcl and mirror_sites.tcl.
# Some servers only support http; others support https while allowing
# http as a fallback; still others only allow https.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# The servers that support https have varying sets of cipher suites
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# enabled, which gives them varying minimum macOS version requirements.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# As of the September 30, 2021 expiration of DST Root CA X3, the set of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS versions able to use the bundled libcurl to access our servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that use Let's Encrypt certificates is drastically reduced.
</span> # Some servers that support https haven't added the MacPorts hostnames
# to their SSL certificate as Subject Alternative Names so we can't use
# https with them yet.
global os.platform os.major
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set fastly [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set letsencrypt_https_or_http [expr {${os.platform} ne "darwin" || ${os.major} == 16 || ${os.major} > 18 ? "https" : "http"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set letsencrypt_https_only [expr {${os.platform} ne "darwin" || ${os.major} == 16 || ${os.major} > 18 ? "https" : ""}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set fastly ${letsencrypt_https_or_http}
</span> # cert doesn't have macports.org SANs; admin notified
<span style='display:block; white-space:pre;background:#ffe0e0;'>-#set aarnet.au [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#set aarnet.au ${letsencrypt_https_or_http}
</span> set aarnet.au http
set atl.us http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set cph.dk [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set cph.dk ${letsencrypt_https_or_http}
</span> set cjj.kr http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set ema.uk https
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set ema.uk ${letsencrypt_https_or_http}
</span> # cert doesn't have macports.org SANs; admin notified
<span style='display:block; white-space:pre;background:#ffe0e0;'>-#set fco.it [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#set fco.it ${letsencrypt_https_or_http}
</span> set fco.it http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set fra.de [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-set jnb.za [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set fra.de ${letsencrypt_https_or_http}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set jnb.za ${letsencrypt_https_only}
</span> set jog.id http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set kmq.jp [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-set mse.uk [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-set nue.de [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-set pek.cn [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set kmq.jp ${letsencrypt_https_or_http}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set mse.uk ${letsencrypt_https_or_http}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set nue.de ${letsencrypt_https_or_http}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set pek.cn ${letsencrypt_https_or_http}
</span> # cert doesn't have macports.org SANs; admin notified
<span style='display:block; white-space:pre;background:#ffe0e0;'>-#set ykf.ca [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#set ykf.ca ${letsencrypt_https_or_http}
</span> set ykf.ca http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set ywg.ca [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set ywg.ca ${letsencrypt_https_or_http}
</span>
# Keep the primary packages server first in the list
set portfetch::mirror_sites::sites(macports_archives) [lsearch -all -glob -inline -not "
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/_resources/port1.0/fetch/mirror_sites.tcl b/_resources/port1.0/fetch/mirror_sites.tcl
</span><span style='display:block; white-space:pre;color:#808080;'>index 25ceb12a713..3555264cd0b 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/_resources/port1.0/fetch/mirror_sites.tcl
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/_resources/port1.0/fetch/mirror_sites.tcl
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -413,34 +413,37 @@ set portfetch::mirror_sites::sites(macports) {
</span> # Keep these in sync between archive_sites.tcl and mirror_sites.tcl.
# Some servers only support http; others support https while allowing
# http as a fallback; still others only allow https.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# The servers that support https have varying sets of cipher suites
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# enabled, which gives them varying minimum macOS version requirements.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# As of the September 30, 2021 expiration of DST Root CA X3, the set of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# macOS versions able to use the bundled libcurl to access our servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that use Let's Encrypt certificates is drastically reduced.
</span> # Some servers that support https haven't added the MacPorts hostnames
# to their SSL certificate as Subject Alternative Names so we can't use
# https with them yet.
global os.platform os.major
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set fastly [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set letsencrypt_https_or_http [expr {${os.platform} ne "darwin" || ${os.major} == 16 || ${os.major} > 18 ? "https" : "http"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set letsencrypt_https_only [expr {${os.platform} ne "darwin" || ${os.major} == 16 || ${os.major} > 18 ? "https" : ""}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set fastly ${letsencrypt_https_or_http}
</span> # cert doesn't have macports.org SANs; admin notified
<span style='display:block; white-space:pre;background:#ffe0e0;'>-#set aarnet.au [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#set aarnet.au ${letsencrypt_https_or_http}
</span> set aarnet.au http
set atl.us http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set cph.dk [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set cph.dk ${letsencrypt_https_or_http}
</span> set cjj.kr http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set ema.uk https
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set ema.uk ${letsencrypt_https_or_http}
</span> # cert doesn't have macports.org SANs; admin notified
<span style='display:block; white-space:pre;background:#ffe0e0;'>-#set fco.it [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#set fco.it ${letsencrypt_https_or_http}
</span> set fco.it http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set fra.de [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-set jnb.za [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set fra.de ${letsencrypt_https_or_http}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set jnb.za ${letsencrypt_https_only}
</span> set jog.id http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set kmq.jp [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-set mse.uk [expr {${os.platform} eq "darwin" && ${os.major} < 13 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-set nue.de [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-set pek.cn [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set kmq.jp ${letsencrypt_https_or_http}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set mse.uk ${letsencrypt_https_or_http}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set nue.de ${letsencrypt_https_or_http}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set pek.cn ${letsencrypt_https_or_http}
</span> # cert doesn't have macports.org SANs; admin notified
<span style='display:block; white-space:pre;background:#ffe0e0;'>-#set ykf.ca [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#set ykf.ca ${letsencrypt_https_or_http}
</span> set ykf.ca http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-set ywg.ca [expr {${os.platform} eq "darwin" && ${os.major} < 10 ? "http" : "https"}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+set ywg.ca ${letsencrypt_https_or_http}
</span>
set portfetch::mirror_sites::sites(macports_distfiles) [lsearch -all -glob -inline -not "
${fastly}://distfiles.macports.org/:mirror
</pre><pre style='margin:0'>
</pre>