provide latest OS root certificates via port?
Christopher Jones
jonesc at hep.phy.cam.ac.uk
Fri Oct 29 17:26:54 UTC 2021
> On 29 Oct 2021, at 4:17 pm, Richard Bonomo TDS personal <bonomo at tds.net> wrote:
>
>
> I don't know what to think about MacPorts, specifically, providing
> new certificates, but, pertaining to some of the arguments presented
> against doing this on old Macs generally, it must be kept in mind
> that some of us -- including yours truly -- have Apple computers that
> CANNOT use newer operating systems or browsers. Sometimes, one has
> to work with what one has.
There are other OSes, linux distros for instance, designed for such scenarios..
>
> Rich
>
> ----- Original Message -----
> From: "Bill Cole" <macportsusers-20171215 at billmail.scconsult.com>
> To: "macports-users Users" <macports-users at lists.macports.org>
> Sent: Friday, October 29, 2021 10:09:45 AM
> Subject: Re: provide latest OS root certificates via port?
>
> On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400)
> Richard L. Hamilton <rlhamil at smart.net>
> is rumored to have said:
>
>> You're (probably - seems plausible but I haven't verified it myself)
>> right that that's annoying and fixable.
>>
>> But there's a big reason to think carefully about whether to do that.
>> If something is old enough that it isn't receiving certificate
>> updates, it probably isn't receiving security updates either. And the
>> same applications and functionality that need current root
>> certificates to work are also likely to be common attack points.
>>
>> So at the very least, anything that makes it easier to take such a
>> risk should come with a prominent warning, IMO.
>
> Yes: Anyone running Mojave or earlier is not exactly skydiving without a
> parachute, but is doing something close. Perhaps it's akin to skydiving
> with a homemade parachute...
>
> Frankly, I don't think MacPorts should attempt to 'fix' this issue or
> similar future issues diretly, not because it encourages risky behavior
> but because MacPorts should avoid poking around in the MacOS base at all
> where it isn't essential for the operation of MacPorts. It's easy enough
> in principle for MacPorts to stand up and use its own modern OSS-based
> encryption+PKI stack with its own set of trusted CAs (e.g.
> curl-ca-bundle and openssl ports) and so keep itself functional without
> poking around in core functionality of the OS that MacPorts-naive tools
> need to use. People who need to fix the problem of an expired root cert
> should be able to understand and repair that problem (which can be done
> without digging a CA bundle out of a newer system) if they need to, and
> having the issue unaddressed is not itself a security issue, but a
> functionality issue. Anyone who actually wants to run Safari & Chrome on
> an OS that isn't getting basic security maintenance should be thinking
> very carefully about what they are doing and accept responsibility for
> making something work which arguably should no longer work because it is
> too risky.
>
> One risk for MacPorts is a slippery slope created by providing support
> for antique OS versions that include opaque proprietary bits that are
> probably insecure in ways that no one fully understands. If it is taken
> too far (which in my opinion includes fixing core components like PKI)
> MP would be doing a disservice to users who understandably expect a
> "Just Works" experience on a Mac by enabling the continued use of tools
> that could well have permanent unrecognized and mostly invisible
> security flaws.
>
>
>>> On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvbertin at gmail.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>> Users of older Apple OSes that are no longer receiving updates
>>> probably noticed that Safari and Chrome-based browsers no longer
>>> connect to lots of sites because a crucial root certificate has
>>> expired.
>>>
>>> Answer 1 to
>>> https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi
>>> provides an easy solution, but you need access to an up-to-date OS
>>> install.
>>>
>>> These are not proprietary to Apple so I presume it should be possible
>>> to provide the suggested `rootcerts.pem` file via a port - possibly
>>> even install it in the post-activate. I had a look but couldn't find
>>> if such a port already exists. I think it'd help for lots of
>>> people... I'd propose a draft but I'm running 10.9 ... so thanks to
>>> anyone picking this up!
>>>
>>> R.
>>>
>
>
> --
> Bill Cole
> bill at scconsult.com or billcole at apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1930 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20211029/3279442e/attachment.bin>
More information about the macports-users
mailing list