Re: privoxy-pki-bundle not Behaving as Desired – Request for Assistance

Ryan Schmidt ryandesign at
Tue May 24 03:27:53 UTC 2022

On May 23, 2022, at 21:16, Chris Jones wrote:

> On 23 May 2022, at 9:59 pm, Steven Smith wrote:
>>> What has changed between the time that the buildbot built the package and the time that the user installs it?
>> The certs in curl-ca-bundle are updated regularly to clear out expired certs.
>> Per the previous discussion, privoxy-pki-bundle uses these certs via a depends_lib, and unless a port revision is added by hand, the port inevitably will contain expired certs.
>> The “solution” appears to be to bump the revision of privoxy-pki-bundle by hand whenever curl-ca-bundle is updated. I’m trying to identify a more automated and robust way of accomplishing that.
> The simple solution then is to just put a comment into the curl-ca-bundle port next to the version/revision asking whomever updates it to bump the revision of privoxy-pki-bundle at the same time. This simple but generally effective solution is used in a number of ports with similar situations and works well most of the time. I see no need to do anything more complex here, particularly not to automate things such that the same port file installs different things at different times. That lack of reproducibility is definitely not wanted.

Right, this is what I already recommended. I'm happy to revbump privoxy-pki-bundle whenever I update curl-ca-bundle, but will forget if not reminded via a comment.

I do see that privoxy-pki-bundle depends on path:share/curl/curl-ca-bundle.crt:curl-ca-bundle, which means that certsync could also satisfy it. Whereas curl-ca-bundle is updated by me whenever mozilla releases a new certdata.txt, certsync installs a launchd plist that monitors the user's Keychain and whenever it is modified, it runs a program to generates a new ca bundle. If you intend to handle that situation, then you could do something similar and install a launchd plist that monitors the ca bundle and a program to regenerate your files whenever the ca bundle changes. Then revbumps would not be needed.

More information about the macports-dev mailing list