[MacPorts] #46539: GitHub fetches fail under OSX 10.5 (and presumably 10.4)
MacPorts
noreply at macports.org
Tue Jan 13 13:28:48 PST 2015
#46539: GitHub fetches fail under OSX 10.5 (and presumably 10.4)
---------------------+--------------------------------
Reporter: fw@… | Owner: macports-tickets@…
Type: defect | Status: new
Priority: Low | Milestone:
Component: base | Version: 2.3.3
Resolution: | Keywords:
Port: |
---------------------+--------------------------------
Comment (by fw@…):
Replying to [comment:5 larryv@…]:
> Replying to [comment:4 fw@…]:
> > I hardly think that this is a serious enough problem to justify
> > dropping support for all PowerMacs, which is what dropping 10.4 and
> > 10.5 would do.
>
> We already don’t support 10.4 through 10.7. We try not to actively break
things on those systems if we can help it, and some of us go to great
lengths to keep ports working, but it’s all best-effort and not at all
guaranteed.
Umm, from the homepage:
"Installers for legacy platforms Lion, Snow Leopard, Leopard and Tiger are
also available."
So I guess it depends on what you mean by "supported". :-)
>
> > Another question is whether it would be acceptable to use
> > /opt/local/bin/curl when available.
>
> MacPorts does not use the `curl(1)` executable. It links to the system
libcurl and calls into it directly.
OK, different file, same concept.
Actually, based on what I see in macports.conf, MacPorts ''does'' use its
own tools when available (unless the default binpath setting is changed).
However, that only applies to executables, not libraries; hence the
libcurl/libssl issue. That seems somewhat inconsistent.
I've verified that I can make the fetch work under 10.5 by prefixing the
command with "DYLD_LIBRARY_PATH=/opt/local/lib" (with the curl and openssl
ports installed, of course).
Replying to [comment:6 nad@…]:
> "AFAICT, the system root CAs are fine, since I can access GitHub from
the old versions of Safari and Firefox on 10.5 just fine"
>
> FWIW, on 10.5 (and earlier), the system OpenSSL and curl do not use the
same source for root CAs as either Safari or Firefox. By default, the
system curl looks for a certificate bundle file at /usr/share/curl/curl-
ca-bundle.crt, which you can manually update but, as noted above, that
still won't help for newer SHA256 certs. The system OpenSSL looks for root
CAs in /System/Library/OpenSSL. Starting in 10.6, if no root CA match is
found in /System/Library/OpenSSL, the system OpenSSL will consult the
system trust store of certificates via TEA (see https://hynek.me/articles
/apple-openssl-verification-surprises/ for details).
Here, /System/Library/OpenSSL seems to be empty except for some scripts
under misc/ (in both 10.5 and 10.9). So either Safari and Firefox are
using curl-ca-bundle.crt, or the browsers have their own root CAs
elsewhere.
Though if the only use of SSL in MacPorts tself is for fetching content
that's independently checksum-verified, then it might be entirely
reasonable for "fetch.ignore_sslcert=yes" to be the default, at least
under 10.5 and earlier.
Replying to [comment:9 cal@…]:
> With outdated roots being a growing problem I don't see how a private
copy of libcurl would help here.
But outdated roots isn't the issue, and if cert validation is considered
unimportant (see my last comment), then it wouldn't matter if it were.
--
Ticket URL: <https://trac.macports.org/ticket/46539#comment:10>
MacPorts <https://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list