provide latest OS root certificates via port?
Michael
keybounce at gmail.com
Fri Oct 29 16:02:34 UTC 2021
As a user who spent a week trying to figure out what was going on with more and more sites not working, making less of the information out there available to figure out how to solve the expired cert, it was really painful to find out that this was "known in advance", and worse, this implies that ANY "modern", "secure" OS is an inherent time-death, for no good reason.
Having an easy way to update certs would be wonderful.
Finding out the hard way that not only did I need to put the DST root in, but that in the next year there's a couple more that will expire, when this was something that could have, and should have, been made very public in advance, was painful.
Discovering the *harder* way that adding a root key to your personal account is not the same as adding it system wide, meaning that the first information I got wasn't even accurate, only made things worse -- I could browse the web just fine, but stuff running as root from launchd was using a different set of certs that did not include this.
Some sort of "Warning! This system is considered extremely vulnerable" is fine. But we see ATM's running windows XP, voting machines running Vista, etc. Old systems being used past their expiration date is normal.
Or do you think that 50 year old FORTRAN programs on 370 systems should be retired and the entire financial system forced to rewrite code used all around the world?
> Sometimes, one has to work with what one has.
Exactly.
> On 2021-10-29, at 8:17 AM, Richard Bonomo TDS personal <bonomo at tds.net> wrote:
>
>
> I don't know what to think about MacPorts, specifically, providing
> new certificates, but, pertaining to some of the arguments presented
> against doing this on old Macs generally, it must be kept in mind
> that some of us -- including yours truly -- have Apple computers that
> CANNOT use newer operating systems or browsers. Sometimes, one has
> to work with what one has.
>
> Rich
>
> ----- Original Message -----
> From: "Bill Cole" <macportsusers-20171215 at billmail.scconsult.com>
> To: "macports-users Users" <macports-users at lists.macports.org>
> Sent: Friday, October 29, 2021 10:09:45 AM
> Subject: Re: provide latest OS root certificates via port?
>
> On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400)
> Richard L. Hamilton <rlhamil at smart.net>
> is rumored to have said:
>
>> You're (probably - seems plausible but I haven't verified it myself)
>> right that that's annoying and fixable.
>>
>> But there's a big reason to think carefully about whether to do that.
>> If something is old enough that it isn't receiving certificate
>> updates, it probably isn't receiving security updates either. And the
>> same applications and functionality that need current root
>> certificates to work are also likely to be common attack points.
>>
>> So at the very least, anything that makes it easier to take such a
>> risk should come with a prominent warning, IMO.
>
> Yes: Anyone running Mojave or earlier is not exactly skydiving without a
> parachute, but is doing something close. Perhaps it's akin to skydiving
> with a homemade parachute...
>
> Frankly, I don't think MacPorts should attempt to 'fix' this issue or
> similar future issues diretly, not because it encourages risky behavior
> but because MacPorts should avoid poking around in the MacOS base at all
> where it isn't essential for the operation of MacPorts. It's easy enough
> in principle for MacPorts to stand up and use its own modern OSS-based
> encryption+PKI stack with its own set of trusted CAs (e.g.
> curl-ca-bundle and openssl ports) and so keep itself functional without
> poking around in core functionality of the OS that MacPorts-naive tools
> need to use. People who need to fix the problem of an expired root cert
> should be able to understand and repair that problem (which can be done
> without digging a CA bundle out of a newer system) if they need to, and
> having the issue unaddressed is not itself a security issue, but a
> functionality issue. Anyone who actually wants to run Safari & Chrome on
> an OS that isn't getting basic security maintenance should be thinking
> very carefully about what they are doing and accept responsibility for
> making something work which arguably should no longer work because it is
> too risky.
>
> One risk for MacPorts is a slippery slope created by providing support
> for antique OS versions that include opaque proprietary bits that are
> probably insecure in ways that no one fully understands. If it is taken
> too far (which in my opinion includes fixing core components like PKI)
> MP would be doing a disservice to users who understandably expect a
> "Just Works" experience on a Mac by enabling the continued use of tools
> that could well have permanent unrecognized and mostly invisible
> security flaws.
>
>
>>> On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvbertin at gmail.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>> Users of older Apple OSes that are no longer receiving updates
>>> probably noticed that Safari and Chrome-based browsers no longer
>>> connect to lots of sites because a crucial root certificate has
>>> expired.
>>>
>>> Answer 1 to
>>> https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi
>>> provides an easy solution, but you need access to an up-to-date OS
>>> install.
>>>
>>> These are not proprietary to Apple so I presume it should be possible
>>> to provide the suggested `rootcerts.pem` file via a port - possibly
>>> even install it in the post-activate. I had a look but couldn't find
>>> if such a port already exists. I think it'd help for lots of
>>> people... I'd propose a draft but I'm running 10.9 ... so thanks to
>>> anyone picking this up!
>>>
>>> R.
>>>
>
>
> --
> Bill Cole
> bill at scconsult.com or billcole at apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
More information about the macports-users
mailing list