[MacPorts] #51516: MacPorts should use a bundled copy of a newer libcurl and SSL library rather than the OS X version

MacPorts noreply at macports.org
Tue Aug 11 20:54:44 UTC 2020 

#51516: MacPorts should use a bundled copy of a newer libcurl and SSL library
rather than the OS X version
--------------------------+--------------------------------
  Reporter:  ryandesign   |      Owner:  macports-tickets@…
      Type:  enhancement  |     Status:  new
  Priority:  Normal       |  Milestone:  MacPorts Future
 Component:  base         |    Version:
Resolution:               |   Keywords:
      Port:               |
--------------------------+--------------------------------

Comment (by fhgwright):

 In the narrower case where the only issue is the certificate validation
 (and possibly too-old Apple root CAs), there could be a simpler fix.
 Currently, it's possible to get around such issues by setting
 fetch.ignore_sslcert.  Aside from possibly using that on the command line,
 there are currently 11 ports and one PortGroup that set that option.  It
 occurs to me that there could be a third value, 'auto', that maps to 'yes'
 or 'no' depending on circumstances.

 The simplest definition of "circumstances" would be whether it's an OS
 version currently updated by Apple or not.  It's reasonable to assume that
 versions still updated by Apple have sufficiently recent root CAs, while
 older OSes may not.  If the only issue is whether the root CAs themselves
 have expired, then that could be checked directly, but if multiple
 certificates with different root CAs and different expirations are
 possible, then it's not so easy to check.

 Doing without the certificate checking altogether isn't **that** awful,
 since distfiles need to pass checksum checks, anyway, but being a bit less
 heavy-handed in suppressing the check would be a plus.  The 'auto' setting
 might even be a reasonable default.

 It could also make a distinction between targeting a MacPorts distfile
 mirror or an upstream distfile source.  In the former case, the
 certificate status could be known more accurately, while that isn't easily
 possible for arbitrary upstream sources.

-- 
Ticket URL: <https://trac.macports.org/ticket/51516#comment:60>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list