[MacPorts] #51516: MacPorts should use a bundled copy of a newer libcurl and SSL library rather than the OS X version

MacPorts noreply at macports.org
Mon Mar 12 12:24:57 UTC 2018 

#51516: MacPorts should use a bundled copy of a newer libcurl and SSL library
rather than the OS X version
--------------------------+--------------------------------
  Reporter:  ryandesign   |      Owner:  macports-tickets@…
      Type:  enhancement  |     Status:  new
  Priority:  Normal       |  Milestone:  MacPorts Future
 Component:  base         |    Version:
Resolution:               |   Keywords:
      Port:               |
--------------------------+--------------------------------

Comment (by ryandesign):

 Replying to [comment:46 neverpanic]:
 > Replying to [comment:44 ryandesign]:
 > > Yes, I know that merely using a bundled curl that's still linked with
 the system's openssl will not solve all of the problems being discussed in
 this ticket. But I think we should still do it because it will solve some
 of the problems (e.g. comment:30).
 >
 > I think we all agree that we should not bundle an SSL library with
 MacPorts.

 I do not agree yet. Older OSes need a newer ssl library to fetch from some
 https sites. So can't we provide a newer openssl or libressl on older
 systems, and use Apple's Secure Transport on newer ones? Yes there might
 be security vulnerabilities discovered in the ssl library we bundle, but
 isn't it likely that there are fewer vulnerabilities in it than in the old
 openssl version used on those systems?

 Your objection in comment:3 was that we should not distribute a CA bundle.
 Would bundling an ssl library require us to include CA bundle? Doesn't the
 OS ship with one that we could use? Or is that part of the problem—the old
 OS's CA bundle doesn't contain the information needed to trust new sites?


 > Now that the mirroring is fixed, I'm wondering whether we should just
 close this ticket as wontfix. You mentioned that you want a bundled
 libcurl in MacPorts for other reasons, but the cosmetic issue you linked
 in #51045 does in my opinion not warrant the additional effort of bundling
 libcurl (especially since it's fixed since two OS releases and we could
 add a simple workaround in base for that).
 >
 > Do you have any other reasons for bundling a libcurl? If not, I would
 close this ticket as wontfix.

 #51045 was merely the first example of a curl bug that's fixed in newer
 versions that I found to link to this ticket. There's another cosmetic
 issue I found on Leopard that's been fixed. I'm sure there have been more
 bugs fixed in curl over the years.

 The main difficulty or effort of bundling libcurl was originally that we
 didn't bundle any other software with MacPorts, so a method of doing that
 had to be invented. Now that we have created that method and already use
 it to bundle 4 libraries, it shouldn't be that difficult to bundle a few
 more libraries for modern ssl support or xz decompression (#52000).

--
Ticket URL: <https://trac.macports.org/ticket/51516#comment:47>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list