Certificate Authorities: curl-ca-bundle, certsync, keychain

[Ryan Schmidt]

On Nov 28, 2013, at 09:32, Rainer Müller wrote:
> On 2013-11-28 15:25, Landon Fuller wrote:
>> certsync is tested and works on 10.6+, and is building successfully on all the buildbots, and a MacPorts update has now shipped with support for auto-loading certsync's startup item. I've been running certsync since May without any noticed ill-effects.
> 
> I have been using certsync since you announced it here on the list and
> so far, I did not experience any problems. I am fine with moving to
> certsync as the new default.

Same here.

> For older OS X versions <=10.5, the certsync port could just depend on
> the curl-ca-bundle and not install any files. Or should we keep the
> path: dependency style anyway to allow using curl-ca-bundle as an
> alternative?

I’ve switched many of my MacPorts installs to certsync, including on Leopard, but I don’t know if it’s working correctly (how would I test that?). Unfortunately certsync fails to build on Tiger; I would love to get that fixed.

The problem with leaving curl-ca-bundle intact and leaving ports using the path:-style dependency is that all existing users of MacPorts would continue to use curl-ca-bundle unless they manually intervened. If certsync is working properly, it would be nice to automatically switch all users to it (i.e. make curl-ca-bundle replaced_by certsync). That’s going to get tricky if we have to make exceptions for older OS versions.