Re: builtin curl - especially on Darwin

[Jonathan Perkin <jperkin%joyent.com@localhost>]

* On 2017-05-09 at 12:59 BST, Sevan Janiyan wrote:

> Hi Lewis,
> 
> On 08/05/2017 23:12, J. Lewis Muir wrote:
> > I don't know if it's the best way, but I think you can make it not use
> > the native curl by setting the following in mk.conf (i.e., this will
> > make it use the pkgsrc curl):
> > 
> >   TOOLS_PLATFORM.curl=
> 
> Indeed that's an option, I was hoping to address the issue out of the
> box ideally in a systematic manner so you don't have to bump one in the
> case of a new release of Darwin, that doesn't apply to Linux distros and
> I'm not sure there's much legacy support in curl itself?

Trying to do it automatically would be pretty messy, as obviously
you'd need to use the platform curl to get the new curl and all of its
dependencies before you can start using the new curl, in which case
you're already insecure up to that point.  Or you use libfetch in the
meantime, but that just then gets really complicated from an
infrastructure point of view.  Then there's also the OpenSSL
dependency to be considered and whether you use the insecure version
that is shipped or have to now pull in OpenSSL from pkgsrc and all its
dependencies, or forego https:// MASTER_SITES support which is
becoming increasingly common.

The easiest option would be to do a MACHINE_PLATFORM test in
mk/tools/tools.Darwin.mk and don't set TOOLS_PLATFORM.curl for older
platforms.

I'm not really a fan of doing that though.  You're already running an
OS which likely has multiple remote exploits that we have no ability
to fix, so it feels a bit pointless, and will ultimately make things
harder (and slower) for users to just get pkgsrc going on it.

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com