provide latest OS root certificates via port?

Christopher Jones jonesc at hep.phy.cam.ac.uk
Fri Oct 29 17:26:54 UTC 2021



> On 29 Oct 2021, at 4:17 pm, Richard Bonomo TDS personal <bonomo at tds.net> wrote:
> 
> 
> I don't know what to think about MacPorts, specifically, providing
> new certificates, but, pertaining to some of the arguments presented
> against doing this on old Macs generally, it must be kept in mind
> that some of us -- including yours truly -- have Apple computers that
> CANNOT use newer operating systems or browsers.  Sometimes, one has
> to work with what one has.

There are other OSes, linux distros for instance, designed for such scenarios..

> 
> Rich
> 
> ----- Original Message -----
> From: "Bill Cole" <macportsusers-20171215 at billmail.scconsult.com>
> To: "macports-users Users" <macports-users at lists.macports.org>
> Sent: Friday, October 29, 2021 10:09:45 AM
> Subject: Re: provide latest OS root certificates via port?
> 
> On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400)
> Richard L. Hamilton <rlhamil at smart.net>
> is rumored to have said:
> 
>> You're (probably - seems plausible but I haven't verified it myself) 
>> right that that's annoying and fixable.
>> 
>> But there's a big reason to think carefully about whether to do that. 
>> If something is old enough that it isn't receiving certificate 
>> updates, it probably isn't receiving security updates either. And the 
>> same applications and functionality that need current root 
>> certificates to work are also likely to be common attack points.
>> 
>> So at the very least, anything that makes it easier to take such a 
>> risk should come with a prominent warning, IMO.
> 
> Yes: Anyone running Mojave or earlier is not exactly skydiving without a 
> parachute, but is doing something close. Perhaps it's akin to skydiving 
> with a homemade parachute...
> 
> Frankly, I don't think MacPorts should attempt to 'fix' this issue or 
> similar future issues diretly, not because it encourages risky behavior 
> but because MacPorts should avoid poking around in the MacOS base at all 
> where it isn't essential for the operation of MacPorts. It's easy enough 
> in principle for MacPorts to stand up and use its own modern OSS-based 
> encryption+PKI stack with its own set of trusted CAs (e.g. 
> curl-ca-bundle and openssl ports) and so keep itself functional without 
> poking around in core functionality of the OS that MacPorts-naive tools 
> need to use. People who need to fix the problem of an expired root cert 
> should be able to understand and repair that problem (which can be done 
> without digging a CA bundle out of a newer system) if they need to, and 
> having the issue unaddressed is not itself a security issue, but a 
> functionality issue. Anyone who actually wants to run Safari & Chrome on 
> an OS that isn't getting basic security maintenance should be thinking 
> very carefully about what they are doing and accept responsibility for 
> making something work which arguably should no longer work because it is 
> too risky.
> 
> One risk for MacPorts is a slippery slope created by providing support 
> for antique OS versions that include opaque proprietary bits that are 
> probably insecure in ways that no one fully understands. If it is taken 
> too far (which in my opinion includes fixing core components like PKI) 
> MP would be doing a disservice to users who understandably expect a 
> "Just Works" experience on a Mac by enabling the continued use of tools 
> that could well have permanent unrecognized and mostly invisible 
> security flaws.
> 
> 
>>> On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvbertin at gmail.com> 
>>> wrote:
>>> 
>>> Hi,
>>> 
>>> Users of older Apple OSes that are no longer receiving updates 
>>> probably noticed that Safari and Chrome-based browsers no longer 
>>> connect to lots of sites because a crucial root certificate has 
>>> expired.
>>> 
>>> Answer 1 to 
>>> https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi 
>>> provides an easy solution, but you need access to an up-to-date OS 
>>> install.
>>> 
>>> These are not proprietary to Apple so I presume it should be possible 
>>> to provide the suggested `rootcerts.pem` file via a port - possibly 
>>> even install it in the post-activate. I had a look but couldn't find 
>>> if such a port already exists. I think it'd help for lots of 
>>> people... I'd propose a draft but I'm running 10.9 ... so thanks to 
>>> anyone picking this up!
>>> 
>>> R.
>>> 
> 
> 
> -- 
> Bill Cole
> bill at scconsult.com or billcole at apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1930 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20211029/3279442e/attachment.bin>


More information about the macports-users mailing list