[MacPorts] #51516: MacPorts should use a bundled copy of a newer libcurl and SSL library rather than the OS X version

MacPorts noreply at macports.org
Sun Jun 2 20:07:26 UTC 2024


#51516: MacPorts should use a bundled copy of a newer libcurl and SSL library
rather than the OS X version
--------------------------+--------------------------------
  Reporter:  ryandesign   |      Owner:  macports-tickets@…
      Type:  enhancement  |     Status:  new
  Priority:  Normal       |  Milestone:  MacPorts Future
 Component:  base         |    Version:
Resolution:               |   Keywords:
      Port:               |
--------------------------+--------------------------------

Comment (by noloader):

 Replying to [comment:119 catap]:
 > Replying to [comment:118 kencu]:
 > > or could we statically link against {{{/opt/local/lib/libcurl.a}}} to
 keep the installation robust between updates, I wonder...
 >
 > that mean that in case security update of curl a brand new version of
 MacPorts should be released.

 In the case of static linking for bootstrapping, cURL should be built with
 minimum components -- HTTPS and CA-certificates, and not much more.

 You may need Internationalized Domain Names (IDN) and IPv6, but you don't
 need http/3, quic, ftp, file, ldap, ldaps, rtsp, proxy, dict, telnet,
 tftp, pop3, imap, smb, smtp, gopher, cookies, and other extras.

 > Last week Nginx had an update which includes fixes for 4(!) CVE in
 HTTP/3.

 In this specific case (thought experiment), https/3 would not trigger a
 cURL rebuild since it would not be included in the bootstrap version used
 during static linking. The full version of cURL would need rebuild, but
 not programs that use the bootstrap version.

 Jeff

-- 
Ticket URL: <https://trac.macports.org/ticket/51516#comment:128>
MacPorts <https://www.macports.org/>
Ports system for macOS


More information about the macports-tickets mailing list