[119549] trunk/dports/irc/weechat/Portfile

Wed Apr 30 01:26:29 PDT 2014

On Apr 30, 2014, at 02:42, and.damore at macports.org wrote:

> Revision
> 119549
> Author
> and.damore at macports.org
> Date
> 2014-04-30 00:42:17 -0700 (Wed, 30 Apr 2014)
> Log Message
> 
> port weechat: switch to certsync rather than curl-ca-bundle as default CAs provider, #43512
> Modified Paths
> 
> 	• trunk/dports/irc/weechat/Portfile
> Diff
> 
> Modified: trunk/dports/irc/weechat/Portfile (119548 => 119549)
> 
> --- trunk/dports/irc/weechat/Portfile	2014-04-30 02:34:25 UTC (rev 119548)
> +++ trunk/dports/irc/weechat/Portfile	2014-04-30 07:42:17 UTC (rev 119549)
> @@ -38,7 +38,7 @@
>                      port:libiconv \
>                      port:ncurses
>  
> -depends_run-append  path:share/curl/curl-ca-bundle.crt:curl-ca-bundle 
> +depends_run-append  path:etc/openssl/cert.pem:certsync
>  
>  configure.args-append \
>                      -DENABLE_GNUTLS=OFF \
> @@ -48,7 +48,7 @@
>                      -DENABLE_PYTHON=OFF \
>                      -DENABLE_RUBY=OFF \
>                      -DENABLE_ASPELL=OFF \
> -                    -DCA_FILE=${prefix}/share/curl/curl-ca-bundle.crt
> +                    -DCA_FILE=${prefix}/etc/openssl/cert.pem
>  
>  variant aspell description {Support for aspell} {
>      configure.args-delete   -DENABLE_ASPELL=OFF

So far we’ve been defaulting to curl-ca-bundle in other ports. The plan was to default to certsync after the problems had been ironed out, and for a brief time, they were, but then an update to certsync made it incompatible with Leopard and Tiger, and since it synchronizes with the system certificates, which on Leopard and Tiger are quite outdated, there’s concern that users of older systems would not be able to access web sites secured by newer certificate authorities, or those who have had to replace their certificates (e.g. due to heartbleed). But because certsync synchronizes with the system certificates, it means users with custom (e.g. corporate) certificates can use them, which curl-ca-bundle doesn’t have a provision for. So neither port is perfect right now, and I’m not aware of anything being done to fix either of them.