provide latest OS root certificates via port?
Richard Bonomo TDS personal
bonomo at tds.net
Fri Oct 29 15:17:52 UTC 2021
I don't know what to think about MacPorts, specifically, providing
new certificates, but, pertaining to some of the arguments presented
against doing this on old Macs generally, it must be kept in mind
that some of us -- including yours truly -- have Apple computers that
CANNOT use newer operating systems or browsers. Sometimes, one has
to work with what one has.
Rich
----- Original Message -----
From: "Bill Cole" <macportsusers-20171215 at billmail.scconsult.com>
To: "macports-users Users" <macports-users at lists.macports.org>
Sent: Friday, October 29, 2021 10:09:45 AM
Subject: Re: provide latest OS root certificates via port?
On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400)
Richard L. Hamilton <rlhamil at smart.net>
is rumored to have said:
> You're (probably - seems plausible but I haven't verified it myself)
> right that that's annoying and fixable.
>
> But there's a big reason to think carefully about whether to do that.
> If something is old enough that it isn't receiving certificate
> updates, it probably isn't receiving security updates either. And the
> same applications and functionality that need current root
> certificates to work are also likely to be common attack points.
>
> So at the very least, anything that makes it easier to take such a
> risk should come with a prominent warning, IMO.
Yes: Anyone running Mojave or earlier is not exactly skydiving without a
parachute, but is doing something close. Perhaps it's akin to skydiving
with a homemade parachute...
Frankly, I don't think MacPorts should attempt to 'fix' this issue or
similar future issues diretly, not because it encourages risky behavior
but because MacPorts should avoid poking around in the MacOS base at all
where it isn't essential for the operation of MacPorts. It's easy enough
in principle for MacPorts to stand up and use its own modern OSS-based
encryption+PKI stack with its own set of trusted CAs (e.g.
curl-ca-bundle and openssl ports) and so keep itself functional without
poking around in core functionality of the OS that MacPorts-naive tools
need to use. People who need to fix the problem of an expired root cert
should be able to understand and repair that problem (which can be done
without digging a CA bundle out of a newer system) if they need to, and
having the issue unaddressed is not itself a security issue, but a
functionality issue. Anyone who actually wants to run Safari & Chrome on
an OS that isn't getting basic security maintenance should be thinking
very carefully about what they are doing and accept responsibility for
making something work which arguably should no longer work because it is
too risky.
One risk for MacPorts is a slippery slope created by providing support
for antique OS versions that include opaque proprietary bits that are
probably insecure in ways that no one fully understands. If it is taken
too far (which in my opinion includes fixing core components like PKI)
MP would be doing a disservice to users who understandably expect a
"Just Works" experience on a Mac by enabling the continued use of tools
that could well have permanent unrecognized and mostly invisible
security flaws.
>> On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvbertin at gmail.com>
>> wrote:
>>
>> Hi,
>>
>> Users of older Apple OSes that are no longer receiving updates
>> probably noticed that Safari and Chrome-based browsers no longer
>> connect to lots of sites because a crucial root certificate has
>> expired.
>>
>> Answer 1 to
>> https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi
>> provides an easy solution, but you need access to an up-to-date OS
>> install.
>>
>> These are not proprietary to Apple so I presume it should be possible
>> to provide the suggested `rootcerts.pem` file via a port - possibly
>> even install it in the post-activate. I had a look but couldn't find
>> if such a port already exists. I think it'd help for lots of
>> people... I'd propose a draft but I'm running 10.9 ... so thanks to
>> anyone picking this up!
>>
>> R.
>>
--
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
More information about the macports-users
mailing list