Re: privoxy-pki-bundle not Behaving as Desired – Request for Assistance

[Daniel J. Luke]

On May 23, 2022, at 4:59 PM, Steven Smith <steve.t.smith at gmail.com> wrote:
>> What has changed between the time that the buildbot built the package and the time that the user installs it?
> 
> The certs in curl-ca-bundle are updated regularly to clear out expired certs.

Does the existence of expired certs cause problems for privoxy (or does it just ignore them?)

> Per the previous discussion, privoxy-pki-bundle uses these certs via a depends_lib, and unless a port revision is added by hand, the port inevitably will contain expired certs.
> 
> The “solution” appears to be to bump the revision of privoxy-pki-bundle by hand whenever curl-ca-bundle is updated. I’m trying to identify a more automated and robust way of accomplishing that.

There's not currently a more automated way of doing this in MacPorts, but there could be /or/ there might be another alternative.

- MacPorts could grow a feature by which a port could specify that it needs to get rebuilt if something it depends on gets rebuilt (this would probably require another identifier along with epoch-version-revision or would require some magic behavior with one of the existing versioning numbers)
- privoxy could be modified to be able to use the files as-installed by curl-ca-bundle
- privoxy-pki-bundle could install a helper tool that can regen the files as needed when curl-ca-bundle files change
- privoxy could be modified to use the MacOS Keychain and not need curl-ca-bundle

... there are probably other alternatives as well.

So far, when people encounter this problem, there hasn't been enough motivation for anyone to build a MacPorts feature to support it (but I'd be happy to see one).

-- 
Daniel J. Luke