On May 23, 2022, at 21:16, Chris Jones wrote: > On 23 May 2022, at 9:59 pm, Steven Smith wrote: > >>> What has changed between the time that the buildbot built the package and >>> the time that the user installs it? >> >> The certs in curl-ca-bundle are updated regularly to clear out expired certs. >> >> Per the previous discussion, privoxy-pki-bundle uses these certs via a >> depends_lib, and unless a port revision is added by hand, the port >> inevitably will contain expired certs. >> >> The “solution” appears to be to bump the revision of privoxy-pki-bundle by >> hand whenever curl-ca-bundle is updated. I’m trying to identify a more >> automated and robust way of accomplishing that. > > The simple solution then is to just put a comment into the curl-ca-bundle > port next to the version/revision asking whomever updates it to bump the > revision of privoxy-pki-bundle at the same time. This simple but generally > effective solution is used in a number of ports with similar situations and > works well most of the time. I see no need to do anything more complex here, > particularly not to automate things such that the same port file installs > different things at different times. That lack of reproducibility is > definitely not wanted.
Right, this is what I already recommended. I'm happy to revbump privoxy-pki-bundle whenever I update curl-ca-bundle, but will forget if not reminded via a comment. I do see that privoxy-pki-bundle depends on path:share/curl/curl-ca-bundle.crt:curl-ca-bundle, which means that certsync could also satisfy it. Whereas curl-ca-bundle is updated by me whenever mozilla releases a new certdata.txt, certsync installs a launchd plist that monitors the user's Keychain and whenever it is modified, it runs a program to generates a new ca bundle. If you intend to handle that situation, then you could do something similar and install a launchd plist that monitors the ca bundle and a program to regenerate your files whenever the ca bundle changes. Then revbumps would not be needed.
