provide latest OS root certificates via port?

Richard L. Hamilton rlhamil at
Fri Oct 29 16:25:56 UTC 2021

> On Oct 29, 2021, at 12:02, Michael <keybounce at> wrote:
> As a user who spent a week trying to figure out what was going on with more and more sites not working, making less of the information out there available to figure out how to solve the expired cert, it was really painful to find out that this was "known in advance", and worse, this implies that ANY "modern", "secure" OS is an inherent time-death, for no good reason.
> Having an easy way to update certs would be wonderful.
> Finding out the hard way that not only did I need to put the DST root in, but that in the next year there's a couple more that will expire, when this was something that could have, and should have, been made very public in advance, was painful.
> Discovering the *harder* way that adding a root key to your personal account is not the same as adding it system wide, meaning that the first information I got wasn't even accurate, only made things worse -- I could browse the web just fine, but stuff running as root from launchd was using a different set of certs that did not include this.
> Some sort of "Warning! This system is considered extremely vulnerable" is fine. But we see ATM's running windows XP, voting machines running Vista, etc. Old systems being used past their expiration date is normal.

The ancient (and inadequately audited and reviewed, even if not ancient) software on ATMs and voting machines should be a scandal. Although they are (supposedly) more physically controlled than user desktops/laptops are, and are at least INTENDED to be limited to specific kiosk-like functions and nothing else, so they're FAR less exposed (software-wise) than a browser accessing potentially anything, including once-legit sites that had been hacked to become nasty.  The risks are (IMO) NOT THE SAME.

> Or do you think that 50 year old FORTRAN programs on 370 systems should be retired and the entire financial system forced to rewrite code used all around the world?

A heck of a lot had to be fixed for Y2K, and some things that couldn't be fixed were either replaced or tossed (including a few that were tossed simply because nobody would take responsibility to affirm that they didn't use dates, even though it was obvious). Been there, done that. It was only a big yawn-fest due to a LOT of hard work. Same thing will happen again in 2038 for any 32-bit Unix/Linux code, btw. That won't be modern desktops (just about all of which are already 64-bit, some now 64-bit only), but a heck of a lot of embedded devices may still be running that old code then. Fortunately I'm retired, so assuming I'm still around, I won't have to deal with THAT mess.

>> Sometimes, one has to work with what one has.
> Exactly.

Ok, sometimes. In a retro computing museum. Or in a nonprofit with no budget. But for anything serious, one REALLY should be aware of the risks, even if that means going back to pen, paper, and snail mail rather than taking the risks. Or else realizing that EVERYTHING they do where the information or transaction has any value at all, is at greater risk of being corrupted or exploited by hostiles if they're doing it on that old system, at least if that system has Internet access.

But basically EVERY computer, even if the physical box could last longer, has support issues past 5 years old, CERTAINLY if one doesn't have a paid support contract. I have a box that's industrial enough that it's 20+ years old and has only had a drive or two (mirrored, so never any data loss) replaced, but I can't (ok, won't) afford a support contract for it (there probably is still support for an older OS version that could still run on it, those things were built like tanks!), so I know I'm taking my chances. In other words, no system seller is going to be on the hook to support an old system forever as part of the purchase price; if they'll provide extended support at all, you'd better expect to pay extra for that, every year. EVERYTHING costs, 'cause everybody has to make a living, including the rich people and the little people at the rich people's companies. Magic no problems forever does NOT exist.

More information about the macports-users mailing list