out-of-date /usr/share/curl/curl-ca-bundle.crt on 10.5 and 10.4

Ryan Schmidt ryandesign at macports.org
Wed Apr 9 18:23:31 PDT 2014


On Apr 9, 2014, at 15:11, Ned Deily wrote:

> It seems that a number of MacPorts users on 10.5 and 10.4 are running 
> into download problems (for example, 
> https://trac.macports.org/ticket/43172 and 
> https://trac.macports.org/ticket/43307).  I believe the root cause is 
> that MacPorts base currently depends on the system-supplied curl and for 
> 10.5 and earlier the default system curl certificate bundle is now 
> woefully out-of-date.  Two unrelated things are bringing this to the 
> fore now: 1. the MacPorts distfiles not being updated problem (which 
> presumably will eventually get fixed) and 2. the increasing default use 
> of ssl transfers by upstream mirrors (an issue that is only going to get 
> worse).  An example is pypi.python.org.  There is a fairly simple fix 
> for 10.5 and 10.4 users: they can manually update the system curl 
> certificate bundle. (For 10.6 and above, the system curl does not have 
> its own certificates.)  If an up-to-date MacPorts curl port is 
> installed, it is pretty trivial; see 
> https://trac.macports.org/ticket/43172#comment:8.  Otherwise, they could 
> download the bundle from somewhere, for example, 
> http://curl.haxx.se/docs/caextract.html.  I think it would be very 
> helpful to add something about this somewhere, perhaps in the new 
> website under the OS-version-specific sections.  Even better, in 
> addition a check or warning could be added to selfupdate.

Would it help if we include an up-to-date copy of curl and certsync with MacPorts, just as we include tcl? We’d first have to fix certsync so it can build on Leopard again:

https://trac.macports.org/ticket/42961

certsync synchronizes curl-ca-bundle.crt with the system keychain. Or are the certificates in the system keychain too old too?

I remember that we have some code in base that specifically works around a bug in an old version of curl on Tiger or Leopard, and I also remember that a change in libcurl version number was one of the changes between some past OS versions. By including our own copy of curl, we might be one step closer to being able to have just a single MacPorts download instead of one per OS version.



More information about the macports-dev mailing list