Skip to content
This repository has been archived by the owner. It is now read-only.

Remove curl-ca-bundle #28658

Closed
wants to merge 3 commits into from

Conversation

@jacknagel
Copy link
Contributor

commented Apr 24, 2014

This is no longer used, directly or indirectly, by anything in core. I want to discourage its use, since providing an unsigned bundle of certificates and letting users place their trust in it is a poor practice.

The openssl formula provides a cert file that is bootstrapped using certificates from the system keychain. Additional certificates can be added in $(brew --prefix)/etc/openssl/certs, where they will be picked up by openssl. This is a far more reasonable solution.

@jacknagel

This comment has been minimized.

Copy link
Contributor Author

commented Apr 24, 2014

Another thing I'd like to address:

Currently, openssl's post-install step does two things: copy the system certificates to <openssldir>/osx_cert.pem, and then symlink it to <openssldir>/cert.pem.

The second step is skipped if cert.pem exists and is not a symlink. This was done to allow users to use this file to provide their own certs. I want to remove this behavior and recommend that users place custom .pem files in <openssldir>/certs (which openssl will recognize).

@MikeMcQuaid

This comment has been minimized.

Copy link
Member

commented Apr 24, 2014

Seems good 👍

@chdiza

This comment has been minimized.

Copy link
Contributor

commented Apr 24, 2014

curl-ca-bundle is needed on Tigerbrew, I think even when one is using Leopard (if I recall, even Leopard's system certs are too old for some stuff, which makes the openssl trick ineffective). If that's true, then dropping curl-ca-bundle in Homebrew amounts to dropping Leopard. I know that's planned anyway, but maybe not this soon?

@MikeMcQuaid

This comment has been minimized.

Copy link
Member

commented Apr 24, 2014

Even 10.6 is no longer officially supported, incidentally.

@jacknagel

This comment has been minimized.

Copy link
Contributor Author

commented Apr 24, 2014

As I explained, it's easy to add custom certs to our openssl installation. This formula is a security liability.

Tigerbrew is of course free to keep the formula if that is desired.

jacknagel added 3 commits Apr 24, 2014
Remove curl-ca-bundle
This is no longer used by anything in core.

The openssl formula provides a cert file that is bootstrapped using
certificates from the system keychain.

Additional certificates can be added in
  $(brew --prefix)/etc/openssl/certs

where they will be picked up by openssl.
@chdiza

This comment has been minimized.

Copy link
Contributor

commented Apr 24, 2014

As I explained, it's easy to add custom certs to our openssl installation. This formula is a security liability.

I agree; I'm not arguing against this change, I'm just pointing out a consequence of removing it.

@jacknagel jacknagel closed this Apr 24, 2014

@jacknagel jacknagel deleted the jacknagel:ca branch Apr 24, 2014

jacknagel added a commit that referenced this pull request Apr 24, 2014
Remove curl-ca-bundle
This is no longer used by anything in core.

The openssl formula provides a cert file that is bootstrapped using
certificates from the system keychain.

Additional certificates can be added in
  $(brew --prefix)/etc/openssl/certs

where they will be picked up by openssl.

Closes #28658.

@Homebrew Homebrew locked and limited conversation to collaborators Jul 11, 2014

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
3 participants
You can’t perform that action at this time.