> On 29 Oct 2021, at 4:17 pm, Richard Bonomo TDS personal <bon...@tds.net> > wrote: > > > I don't know what to think about MacPorts, specifically, providing > new certificates, but, pertaining to some of the arguments presented > against doing this on old Macs generally, it must be kept in mind > that some of us -- including yours truly -- have Apple computers that > CANNOT use newer operating systems or browsers. Sometimes, one has > to work with what one has.
There are other OSes, linux distros for instance, designed for such scenarios.. > > Rich > > ----- Original Message ----- > From: "Bill Cole" <macportsusers-20171...@billmail.scconsult.com> > To: "macports-users Users" <macports-users@lists.macports.org> > Sent: Friday, October 29, 2021 10:09:45 AM > Subject: Re: provide latest OS root certificates via port? > > On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400) > Richard L. Hamilton <rlha...@smart.net> > is rumored to have said: > >> You're (probably - seems plausible but I haven't verified it myself) >> right that that's annoying and fixable. >> >> But there's a big reason to think carefully about whether to do that. >> If something is old enough that it isn't receiving certificate >> updates, it probably isn't receiving security updates either. And the >> same applications and functionality that need current root >> certificates to work are also likely to be common attack points. >> >> So at the very least, anything that makes it easier to take such a >> risk should come with a prominent warning, IMO. > > Yes: Anyone running Mojave or earlier is not exactly skydiving without a > parachute, but is doing something close. Perhaps it's akin to skydiving > with a homemade parachute... > > Frankly, I don't think MacPorts should attempt to 'fix' this issue or > similar future issues diretly, not because it encourages risky behavior > but because MacPorts should avoid poking around in the MacOS base at all > where it isn't essential for the operation of MacPorts. It's easy enough > in principle for MacPorts to stand up and use its own modern OSS-based > encryption+PKI stack with its own set of trusted CAs (e.g. > curl-ca-bundle and openssl ports) and so keep itself functional without > poking around in core functionality of the OS that MacPorts-naive tools > need to use. People who need to fix the problem of an expired root cert > should be able to understand and repair that problem (which can be done > without digging a CA bundle out of a newer system) if they need to, and > having the issue unaddressed is not itself a security issue, but a > functionality issue. Anyone who actually wants to run Safari & Chrome on > an OS that isn't getting basic security maintenance should be thinking > very carefully about what they are doing and accept responsibility for > making something work which arguably should no longer work because it is > too risky. > > One risk for MacPorts is a slippery slope created by providing support > for antique OS versions that include opaque proprietary bits that are > probably insecure in ways that no one fully understands. If it is taken > too far (which in my opinion includes fixing core components like PKI) > MP would be doing a disservice to users who understandably expect a > "Just Works" experience on a Mac by enabling the continued use of tools > that could well have permanent unrecognized and mostly invisible > security flaws. > > >>> On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvber...@gmail.com> >>> wrote: >>> >>> Hi, >>> >>> Users of older Apple OSes that are no longer receiving updates >>> probably noticed that Safari and Chrome-based browsers no longer >>> connect to lots of sites because a crucial root certificate has >>> expired. >>> >>> Answer 1 to >>> https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi >>> >>> provides an easy solution, but you need access to an up-to-date OS >>> install. >>> >>> These are not proprietary to Apple so I presume it should be possible >>> to provide the suggested `rootcerts.pem` file via a port - possibly >>> even install it in the post-activate. I had a look but couldn't find >>> if such a port already exists. I think it'd help for lots of >>> people... I'd propose a draft but I'm running 10.9 ... so thanks to >>> anyone picking this up! >>> >>> R. >>> > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire
smime.p7s
Description: S/MIME cryptographic signature