On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400)
Richard L. Hamilton <rlha...@smart.net>
is rumored to have said:
You're (probably - seems plausible but I haven't verified it myself)
right that that's annoying and fixable.
But there's a big reason to think carefully about whether to do that.
If something is old enough that it isn't receiving certificate
updates, it probably isn't receiving security updates either. And the
same applications and functionality that need current root
certificates to work are also likely to be common attack points.
So at the very least, anything that makes it easier to take such a
risk should come with a prominent warning, IMO.
Yes: Anyone running Mojave or earlier is not exactly skydiving without a
parachute, but is doing something close. Perhaps it's akin to skydiving
with a homemade parachute...
Frankly, I don't think MacPorts should attempt to 'fix' this issue or
similar future issues diretly, not because it encourages risky behavior
but because MacPorts should avoid poking around in the MacOS base at all
where it isn't essential for the operation of MacPorts. It's easy enough
in principle for MacPorts to stand up and use its own modern OSS-based
encryption+PKI stack with its own set of trusted CAs (e.g.
curl-ca-bundle and openssl ports) and so keep itself functional without
poking around in core functionality of the OS that MacPorts-naive tools
need to use. People who need to fix the problem of an expired root cert
should be able to understand and repair that problem (which can be done
without digging a CA bundle out of a newer system) if they need to, and
having the issue unaddressed is not itself a security issue, but a
functionality issue. Anyone who actually wants to run Safari & Chrome on
an OS that isn't getting basic security maintenance should be thinking
very carefully about what they are doing and accept responsibility for
making something work which arguably should no longer work because it is
too risky.
One risk for MacPorts is a slippery slope created by providing support
for antique OS versions that include opaque proprietary bits that are
probably insecure in ways that no one fully understands. If it is taken
too far (which in my opinion includes fixing core components like PKI)
MP would be doing a disservice to users who understandably expect a
"Just Works" experience on a Mac by enabling the continued use of tools
that could well have permanent unrecognized and mostly invisible
security flaws.
On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvber...@gmail.com>
wrote:
Hi,
Users of older Apple OSes that are no longer receiving updates
probably noticed that Safari and Chrome-based browsers no longer
connect to lots of sites because a crucial root certificate has
expired.
Answer 1 to
https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi
provides an easy solution, but you need access to an up-to-date OS
install.
These are not proprietary to Apple so I presume it should be possible
to provide the suggested `rootcerts.pem` file via a port - possibly
even install it in the post-activate. I had a look but couldn't find
if such a port already exists. I think it'd help for lots of
people... I'd propose a draft but I'm running 10.9 ... so thanks to
anyone picking this up!
R.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
