[MacPorts] #51516: MacPorts should use a bundled copy of a newer libcurl and SSL library rather than the OS X version

Mon Jun 3 09:56:59 UTC 2024

#51516: MacPorts should use a bundled copy of a newer libcurl and SSL library
rather than the OS X version
--------------------------+--------------------------------
  Reporter:  ryandesign   |      Owner:  macports-tickets@…
      Type:  enhancement  |     Status:  new
  Priority:  Normal       |  Milestone:  MacPorts Future
 Component:  base         |    Version:
Resolution:               |   Keywords:
      Port:               |
--------------------------+--------------------------------

Comment (by noloader):

 Replying to [comment:129 catap]:
 > Replying to [comment:128 noloader]:
 > > Replying to [comment:119 catap]:
 > > > Replying to [comment:118 kencu]:
 > > > > or could we statically link against {{{/opt/local/lib/libcurl.a}}}
 to keep the installation robust between updates, I wonder...
 > > >
 > > > that mean that in case security update of curl a brand new version
 of MacPorts should be released.
 > >
 > > In the case of static linking for bootstrapping, cURL should be built
 with minimum components -- HTTPS and CA-certificates, and not much more.
 > >
 >
 > Which includes modern OpenSSL.

 OpenSSL is easy to build because it has almost no dependencies.

 Nowadays, for OpenSSL 3.x, the pain point is Perl. Perl is used to
 configure OpenSSL. Earlier versions of OpenSSL did not use Perl or require
 a modern version of Perl. OS X 10.4 and 10.5 does not have a new enough
 Perl, but that may not matter (if you are cross-compiling on a modern
 host).

 > And this is quite deep hole.

 Here is my experience with this problem...

 I have a set of scripts I use to build modern tools on old OSes, like
 Ubuntu 4, Fedora 1 and OS X 10.5. The scripts use a bootstrapped Wget
 instead of a bootstrapped cURL. (You only need one of them. Once you have
 a bootstrapped downloader, you can build everything else).

 The bootstrap version of cURL or Wget has just enough features to download
 other packages. About all you need is a modern TLS library so you can do
 HTTPS. The requirements for TLS is TLS v1.0 or above, and a modern set of
 CA-Certificates.

 The bootstrapped version of cURL or Wget uses static linking. You don't
 have to worry about API and ABI compatibility because nothing gets loaded
 at runtime. In fact, you can move the bootstrapped cURL or Wget to
 anywhere on the filesystem and it just works because the programs use
 static linking. There's no need to solve runtime linking problems because
 of static linking.

 A bootstrapped version of cURL is what I am proposing for MacPorts. Once
 MacPorts has a downloader, it can download and build everything else.
 "Everything else" includes a fully featured version of OpenSSL and cURL.

-- 
Ticket URL: <https://trac.macports.org/ticket/51516#comment:133>
MacPorts <https://www.macports.org/>
Ports system for macOS