provide latest OS root certificates via port?
Bill Cole
macportsusers-20171215 at billmail.scconsult.com
Fri Oct 29 16:14:37 UTC 2021
On 2021-10-29 at 11:17:52 UTC-0400 (Fri, 29 Oct 2021 11:17:52 -0400
(EDT))
Richard Bonomo TDS personal <bonomo at tds.net>
is rumored to have said:
> I don't know what to think about MacPorts, specifically, providing
> new certificates, but, pertaining to some of the arguments presented
> against doing this on old Macs generally, it must be kept in mind
> that some of us --
> including yours truly --
> have Apple computers that
> CANNOT use newer operating systems or browsers. Sometimes, one has
> to work with what one has.
Sure, and I am not saying that MP should abandon older systems or that
you and I and everyone else still running older systems is doing
anything "wrong" but simply that it is risky and cannot be safe without
the recognition that you have to understand and manage your risks
without vendor support.
Some people have expressed more judgmental views here in the past,
arguing that older Macs should be relegated to running other, free OSs
that have active security maintenance and suggesting that MP deprecate
MacOS versions no longer supported by Apple. I'm NOT saying that, but
rather that users should understand their risks and MP should not take
on the doomed task of de facto trying to maintain OS versions which are
by any reasonable definition obsolete. The norm for MP has been to offer
parallel tools to those in the OS (e.g. current packages that match what
Apple used to include in Server) and leave the issue of whether & how to
user them to actually replace Apple's tools up to the user.
> ----- Original Message -----
> From: "Bill Cole" <macportsusers-20171215 at billmail.scconsult.com>
> To: "macports-users Users" <macports-users at lists.macports.org>
> Sent: Friday, October 29, 2021 10:09:45 AM
> Subject: Re: provide latest OS root certificates via port?
>
> On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400)
> Richard L. Hamilton <rlhamil at smart.net>
> is rumored to have said:
>
>> You're (probably - seems plausible but I haven't verified it myself)
>> right that that's annoying and fixable.
>>
>> But there's a big reason to think carefully about whether to do that.
>> If something is old enough that it isn't receiving certificate
>> updates, it probably isn't receiving security updates either. And the
>> same applications and functionality that need current root
>> certificates to work are also likely to be common attack points.
>>
>> So at the very least, anything that makes it easier to take such a
>> risk should come with a prominent warning, IMO.
>
> Yes: Anyone running Mojave or earlier is not exactly skydiving without
> a
> parachute, but is doing something close. Perhaps it's akin to
> skydiving
> with a homemade parachute...
>
> Frankly, I don't think MacPorts should attempt to 'fix' this issue or
> similar future issues diretly, not because it encourages risky
> behavior
> but because MacPorts should avoid poking around in the MacOS base at
> all
> where it isn't essential for the operation of MacPorts. It's easy
> enough
> in principle for MacPorts to stand up and use its own modern OSS-based
> encryption+PKI stack with its own set of trusted CAs (e.g.
> curl-ca-bundle and openssl ports) and so keep itself functional
> without
> poking around in core functionality of the OS that MacPorts-naive
> tools
> need to use. People who need to fix the problem of an expired root
> cert
> should be able to understand and repair that problem (which can be
> done
> without digging a CA bundle out of a newer system) if they need to,
> and
> having the issue unaddressed is not itself a security issue, but a
> functionality issue. Anyone who actually wants to run Safari & Chrome
> on
> an OS that isn't getting basic security maintenance should be thinking
> very carefully about what they are doing and accept responsibility for
> making something work which arguably should no longer work because it
> is
> too risky.
>
> One risk for MacPorts is a slippery slope created by providing support
> for antique OS versions that include opaque proprietary bits that are
> probably insecure in ways that no one fully understands. If it is
> taken
> too far (which in my opinion includes fixing core components like PKI)
> MP would be doing a disservice to users who understandably expect a
> "Just Works" experience on a Mac by enabling the continued use of
> tools
> that could well have permanent unrecognized and mostly invisible
> security flaws.
>
>
>>> On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvbertin at gmail.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>> Users of older Apple OSes that are no longer receiving updates
>>> probably noticed that Safari and Chrome-based browsers no longer
>>> connect to lots of sites because a crucial root certificate has
>>> expired.
>>>
>>> Answer 1 to
>>> https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi
>>> provides an easy solution, but you need access to an up-to-date OS
>>> install.
>>>
>>> These are not proprietary to Apple so I presume it should be
>>> possible
>>> to provide the suggested `rootcerts.pem` file via a port - possibly
>>> even install it in the post-activate. I had a look but couldn't find
>>> if such a port already exists. I think it'd help for lots of
>>> people... I'd propose a draft but I'm running 10.9 ... so thanks to
>>> anyone picking this up!
>>>
>>> R.
>>>
>
>
> --
> Bill Cole
> bill at scconsult.com or billcole at apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
--
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
More information about the macports-users
mailing list