[MacPorts] #69605: curl: upgrade to 8.7.1 to address CVEs

MacPorts noreply at macports.org
Wed Mar 27 20:02:49 UTC 2024 

#69605: curl: upgrade to 8.7.1 to address CVEs
---------------------+------------------------
  Reporter:  blair   |      Owner:  ryandesign
      Type:  update  |     Status:  accepted
  Priority:  Normal  |  Milestone:
 Component:  ports   |    Version:
Resolution:          |   Keywords:
      Port:  curl    |
---------------------+------------------------

Comment (by ryandesign):

 We do already have a security policy that anyone can commit an update to a
 port, even if not openmaintainer, if it resolves a security issue. This
 justification has been used in previous curl updates such as
 [47e2121c484a5a5192ac9ffd593d04da2a11d31b/macports-ports] and would apply
 to the 8.7.1 update and indeed to most new curl versions since most of
 them resolve some minor CVE. But I am working on the update now so just
 give me a minute.

 One reason why I keep a tighter reign on projects like curl and gettext
 and libpng is that they provide fundamental functionality where breaking
 them would affect a large number of ports. When I update these ports I
 keep a close eye on the buildbot and make sure it builds on all OS
 versions, and if it doesn't, I try to quickly remedy the situation (for
 example [65b98a2a23939a4f6c4366c5a128a9357c0909fc/macports-ports]). If
 others update the port under the openmaintainer umbrella they might not do
 that which could result in a large number of subsequently updated ports
 failing to build on the buildbot which would require significant work to
 reschedule the failed builds after the problem is resolved. Not to mention
 the inconvenience to users of the systems on which it failed. I'd rather
 avoid that by, well, maintaining these ports.

 The other reason with curl is that it is one of the few ports I maintain
 that I am more involved with. With most ports I just update them and
 barely know what the software does, but with curl I am subscribed to their
 mailing lists, I file bug reports and pull requests, I've participated in
 a recent curl meeting, and I do use curl myself. I may be deliberately
 holding back an update because a problem with that release is currently
 being discussed on the mailing list.

 Also curl updates are a little more complicated than normal updates.
 Updating curl requires revbumping p5-www-curl as well. It says so in the
 port but drive-by contributors might overlook that. And by the time that a
 curl update is available, probably an update of curl-ca-bundle is
 available, so I do that first, and that's a little more complicated than a
 normal update, and also documented, but possibly more complicated than
 someone else really wants to tackle.

 There may be changes other than updates that I was planning to include
 with the next port update, which would be a bit silly to revbump the port
 for all on their own.

 So many reasons!

 You are certainly always welcome to submit a pull request for any port.
 Then a maintainer can easily approve it or request changes or make other
 comments.

-- 
Ticket URL: <https://trac.macports.org/ticket/69605#comment:3>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list