[MacPorts] #69605: curl: upgrade to 8.7.1 to address CVEs
MacPorts
noreply at macports.org
Wed Mar 27 20:02:49 UTC 2024
#69605: curl: upgrade to 8.7.1 to address CVEs
---------------------+------------------------
Reporter: blair | Owner: ryandesign
Type: update | Status: accepted
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: curl |
---------------------+------------------------
Comment (by ryandesign):
We do already have a security policy that anyone can commit an update to a
port, even if not openmaintainer, if it resolves a security issue. This
justification has been used in previous curl updates such as
[47e2121c484a5a5192ac9ffd593d04da2a11d31b/macports-ports] and would apply
to the 8.7.1 update and indeed to most new curl versions since most of
them resolve some minor CVE. But I am working on the update now so just
give me a minute.
One reason why I keep a tighter reign on projects like curl and gettext
and libpng is that they provide fundamental functionality where breaking
them would affect a large number of ports. When I update these ports I
keep a close eye on the buildbot and make sure it builds on all OS
versions, and if it doesn't, I try to quickly remedy the situation (for
example [65b98a2a23939a4f6c4366c5a128a9357c0909fc/macports-ports]). If
others update the port under the openmaintainer umbrella they might not do
that which could result in a large number of subsequently updated ports
failing to build on the buildbot which would require significant work to
reschedule the failed builds after the problem is resolved. Not to mention
the inconvenience to users of the systems on which it failed. I'd rather
avoid that by, well, maintaining these ports.
The other reason with curl is that it is one of the few ports I maintain
that I am more involved with. With most ports I just update them and
barely know what the software does, but with curl I am subscribed to their
mailing lists, I file bug reports and pull requests, I've participated in
a recent curl meeting, and I do use curl myself. I may be deliberately
holding back an update because a problem with that release is currently
being discussed on the mailing list.
Also curl updates are a little more complicated than normal updates.
Updating curl requires revbumping p5-www-curl as well. It says so in the
port but drive-by contributors might overlook that. And by the time that a
curl update is available, probably an update of curl-ca-bundle is
available, so I do that first, and that's a little more complicated than a
normal update, and also documented, but possibly more complicated than
someone else really wants to tackle.
There may be changes other than updates that I was planning to include
with the next port update, which would be a bit silly to revbump the port
for all on their own.
So many reasons!
You are certainly always welcome to submit a pull request for any port.
Then a maintainer can easily approve it or request changes or make other
comments.
--
Ticket URL: <https://trac.macports.org/ticket/69605#comment:3>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list