[MacPorts] #46539: GitHub fetches fail under OSX 10.5 (and presumably 10.4)

Tue Jan 13 13:28:48 PST 2015

#46539: GitHub fetches fail under OSX 10.5 (and presumably 10.4)
---------------------+--------------------------------
  Reporter:  fw@…    |      Owner:  macports-tickets@…
      Type:  defect  |     Status:  new
  Priority:  Low     |  Milestone:
 Component:  base    |    Version:  2.3.3
Resolution:          |   Keywords:
      Port:          |
---------------------+--------------------------------

Comment (by fw@…):

 Replying to [comment:5 larryv@…]:
 > Replying to [comment:4 fw@…]:
 > > I hardly think that this is a serious enough problem to justify
 > > dropping support for all PowerMacs, which is what dropping 10.4 and
 > > 10.5 would do.
 >
 > We already don’t support 10.4 through 10.7. We try not to actively break
 things on those systems if we can help it, and some of us go to great
 lengths to keep ports working, but it’s all best-effort and not at all
 guaranteed.

 Umm, from the homepage:

 "Installers for legacy platforms Lion, Snow Leopard, Leopard and Tiger are
 also available."

 So I guess it depends on what you mean by "supported". :-)
 >
 > > Another question is whether it would be acceptable to use
 > > /opt/local/bin/curl when available.
 >
 > MacPorts does not use the `curl(1)` executable. It links to the system
 libcurl and calls into it directly.

 OK, different file, same concept.

 Actually, based on what I see in macports.conf, MacPorts ''does'' use its
 own tools when available (unless the default binpath setting is changed).
 However, that only applies to executables, not libraries; hence the
 libcurl/libssl issue.  That seems somewhat inconsistent.

 I've verified that I can make the fetch work under 10.5 by prefixing the
 command with "DYLD_LIBRARY_PATH=/opt/local/lib" (with the curl and openssl
 ports installed, of course).

 Replying to [comment:6 nad@…]:
 > "AFAICT, the system root CAs are fine, since I can access GitHub from
 the old versions of Safari and Firefox on 10.5 just fine"
 >
 > FWIW, on 10.5 (and earlier), the system OpenSSL and curl do not use the
 same source for root CAs as either Safari or Firefox.  By default, the
 system curl looks for a certificate bundle file at /usr/share/curl/curl-
 ca-bundle.crt, which you can manually update but, as noted above, that
 still won't help for newer SHA256 certs. The system OpenSSL looks for root
 CAs in /System/Library/OpenSSL.  Starting in 10.6, if no root CA match is
 found in /System/Library/OpenSSL, the system OpenSSL will consult the
 system trust store of certificates via TEA (see https://hynek.me/articles
 /apple-openssl-verification-surprises/ for details).

 Here, /System/Library/OpenSSL seems to be empty except for some scripts
 under misc/ (in both 10.5 and 10.9).  So either Safari and Firefox are
 using curl-ca-bundle.crt, or the browsers have their own root CAs
 elsewhere.

 Though if the only use of SSL in MacPorts tself is for fetching content
 that's independently checksum-verified, then it might be entirely
 reasonable for "fetch.ignore_sslcert=yes" to be the default, at least
 under 10.5 and earlier.

 Replying to [comment:9 cal@…]:
 > With outdated roots being a growing problem I don't see how a private
 copy of libcurl would help here.

 But outdated roots isn't the issue, and if cert validation is considered
 unimportant (see my last comment), then it wouldn't matter if it were.

-- 
Ticket URL: <https://trac.macports.org/ticket/46539#comment:10>
MacPorts <https://www.macports.org/>
Ports system for OS X