out-of-date /usr/share/curl/curl-ca-bundle.crt on 10.5 and 10.4

Clemens Lang cal at macports.org
Thu Apr 10 06:07:55 PDT 2014

Hi Ryan,

> Would it help if we include an up-to-date copy of curl and certsync with
> MacPorts, just as we include tcl?
> certsync synchronizes curl-ca-bundle.crt with the system keychain. Or are the
> certificates in the system keychain too old too?

The system curl probably already uses the certificates from the keychain, so
including certsync wouldn't help either, because the system roots are probably
outdated aswell.

That would leave us with the option to build our own curl and distribute a set
of root certificates, and I'd strongly argue against doing that. If we start
distributing root certificates we're also responsible for getting them updated,
and that might mean issuing a new base release when a root is compromised.

I don't think that cap fits MacPorts. The users on systems that old might just
have to bite the bullet, especially since this is a problem that will keep
occurring on their OS, not just with MacPorts.

> I remember that we have some code in base that specifically works around a
> bug in an old version of curl on Tiger or Leopard, and I also remember that
> a change in libcurl version number was one of the changes between some past
> OS versions. By including our own copy of curl, we might be one step closer
> to being able to have just a single MacPorts download instead of one per OS
> version.

Is a single MacPorts download something we aim for? Also, there's a whole set
of other problems that currently prevent this, starting with /usr/bin/gnutar vs.
/usr/bin/tar picked up by configure.

Clemens Lang

More information about the macports-dev mailing list