[MacPorts] #51516: MacPorts should use a bundled copy of a newer libcurl and SSL library rather than the OS X version
MacPorts
noreply at macports.org
Sun Jun 2 20:07:26 UTC 2024
#51516: MacPorts should use a bundled copy of a newer libcurl and SSL library
rather than the OS X version
--------------------------+--------------------------------
Reporter: ryandesign | Owner: macports-tickets@…
Type: enhancement | Status: new
Priority: Normal | Milestone: MacPorts Future
Component: base | Version:
Resolution: | Keywords:
Port: |
--------------------------+--------------------------------
Comment (by noloader):
Replying to [comment:119 catap]:
> Replying to [comment:118 kencu]:
> > or could we statically link against {{{/opt/local/lib/libcurl.a}}} to
keep the installation robust between updates, I wonder...
>
> that mean that in case security update of curl a brand new version of
MacPorts should be released.
In the case of static linking for bootstrapping, cURL should be built with
minimum components -- HTTPS and CA-certificates, and not much more.
You may need Internationalized Domain Names (IDN) and IPv6, but you don't
need http/3, quic, ftp, file, ldap, ldaps, rtsp, proxy, dict, telnet,
tftp, pop3, imap, smb, smtp, gopher, cookies, and other extras.
> Last week Nginx had an update which includes fixes for 4(!) CVE in
HTTP/3.
In this specific case (thought experiment), https/3 would not trigger a
cURL rebuild since it would not be included in the bootstrap version used
during static linking. The full version of cURL would need rebuild, but
not programs that use the bootstrap version.
Jeff
--
Ticket URL: <https://trac.macports.org/ticket/51516#comment:128>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list