[MacPorts] #51516: MacPorts should use a bundled copy of a newer libcurl and SSL library rather than the OS X version
MacPorts
noreply at macports.org
Mon Jun 3 09:56:59 UTC 2024
#51516: MacPorts should use a bundled copy of a newer libcurl and SSL library
rather than the OS X version
--------------------------+--------------------------------
Reporter: ryandesign | Owner: macports-tickets@…
Type: enhancement | Status: new
Priority: Normal | Milestone: MacPorts Future
Component: base | Version:
Resolution: | Keywords:
Port: |
--------------------------+--------------------------------
Comment (by noloader):
Replying to [comment:129 catap]:
> Replying to [comment:128 noloader]:
> > Replying to [comment:119 catap]:
> > > Replying to [comment:118 kencu]:
> > > > or could we statically link against {{{/opt/local/lib/libcurl.a}}}
to keep the installation robust between updates, I wonder...
> > >
> > > that mean that in case security update of curl a brand new version
of MacPorts should be released.
> >
> > In the case of static linking for bootstrapping, cURL should be built
with minimum components -- HTTPS and CA-certificates, and not much more.
> >
>
> Which includes modern OpenSSL.
OpenSSL is easy to build because it has almost no dependencies.
Nowadays, for OpenSSL 3.x, the pain point is Perl. Perl is used to
configure OpenSSL. Earlier versions of OpenSSL did not use Perl or require
a modern version of Perl. OS X 10.4 and 10.5 does not have a new enough
Perl, but that may not matter (if you are cross-compiling on a modern
host).
> And this is quite deep hole.
Here is my experience with this problem...
I have a set of scripts I use to build modern tools on old OSes, like
Ubuntu 4, Fedora 1 and OS X 10.5. The scripts use a bootstrapped Wget
instead of a bootstrapped cURL. (You only need one of them. Once you have
a bootstrapped downloader, you can build everything else).
The bootstrap version of cURL or Wget has just enough features to download
other packages. About all you need is a modern TLS library so you can do
HTTPS. The requirements for TLS is TLS v1.0 or above, and a modern set of
CA-Certificates.
The bootstrapped version of cURL or Wget uses static linking. You don't
have to worry about API and ABI compatibility because nothing gets loaded
at runtime. In fact, you can move the bootstrapped cURL or Wget to
anywhere on the filesystem and it just works because the programs use
static linking. There's no need to solve runtime linking problems because
of static linking.
A bootstrapped version of cURL is what I am proposing for MacPorts. Once
MacPorts has a downloader, it can download and build everything else.
"Everything else" includes a fully featured version of OpenSSL and cURL.
--
Ticket URL: <https://trac.macports.org/ticket/51516#comment:133>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list