out-of-date /usr/share/curl/curl-ca-bundle.crt on 10.5 and 10.4

Ned Deily nad at acm.org
Wed Apr 9 13:11:55 PDT 2014

It seems that a number of MacPorts users on 10.5 and 10.4 are running 
into download problems (for example, 
https://trac.macports.org/ticket/43172 and 
https://trac.macports.org/ticket/43307).  I believe the root cause is 
that MacPorts base currently depends on the system-supplied curl and for 
10.5 and earlier the default system curl certificate bundle is now 
woefully out-of-date.  Two unrelated things are bringing this to the 
fore now: 1. the MacPorts distfiles not being updated problem (which 
presumably will eventually get fixed) and 2. the increasing default use 
of ssl transfers by upstream mirrors (an issue that is only going to get 
worse).  An example is pypi.python.org.  There is a fairly simple fix 
for 10.5 and 10.4 users: they can manually update the system curl 
certificate bundle. (For 10.6 and above, the system curl does not have 
its own certificates.)  If an up-to-date MacPorts curl port is 
installed, it is pretty trivial; see 
https://trac.macports.org/ticket/43172#comment:8.  Otherwise, they could 
download the bundle from somewhere, for example, 
http://curl.haxx.se/docs/caextract.html.  I think it would be very 
helpful to add something about this somewhere, perhaps in the new 
website under the OS-version-specific sections.  Even better, in 
addition a check or warning could be added to selfupdate.

 Ned Deily,
 nad at acm.org

More information about the macports-dev mailing list