out-of-date /usr/share/curl/curl-ca-bundle.crt on 10.5 and 10.4

Ryan Schmidt ryandesign at macports.org
Thu Apr 10 07:12:14 PDT 2014 

On Apr 10, 2014, at 08:07, Clemens Lang wrote:

> Hi Ryan,
> 
>> Would it help if we include an up-to-date copy of curl and certsync with
>> MacPorts, just as we include tcl?
>> certsync synchronizes curl-ca-bundle.crt with the system keychain. Or are the
>> certificates in the system keychain too old too?
> 
> The system curl probably already uses the certificates from the keychain, so
> including certsync wouldn't help either, because the system roots are probably
> outdated aswell.

That’s what I thought. Which now makes me question whether replacing curl-ca-bundle with certsync is really such a good idea for older systems.

> That would leave us with the option to build our own curl and distribute a set
> of root certificates, and I'd strongly argue against doing that. If we start
> distributing root certificates we're also responsible for getting them updated,
> and that might mean issuing a new base release when a root is compromised.
> 
> I don't think that cap fits MacPorts. The users on systems that old might just
> have to bite the bullet, especially since this is a problem that will keep
> occurring on their OS, not just with MacPorts.

I agree. If it’s just a problem fetching distfiles, that won’t be a problem anymore once our mirrors start mirroring again.

>> I remember that we have some code in base that specifically works around a
>> bug in an old version of curl on Tiger or Leopard, and I also remember that
>> a change in libcurl version number was one of the changes between some past
>> OS versions. By including our own copy of curl, we might be one step closer
>> to being able to have just a single MacPorts download instead of one per OS
>> version.
> 
> Is a single MacPorts download something we aim for? Also, there's a whole set
> of other problems that currently prevent this, starting with /usr/bin/gnutar vs.
> /usr/bin/tar picked up by configure.

I haven’t mentioned it much but I’ve often thought a single download would be nice. It would be less confusing and it’s what most other projects do.

More information about the macports-dev mailing list