tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: builtin curl - especially on Darwin

On Tue, May 09, 2017 at 01:18:04PM +0100, Jonathan Perkin wrote:
> * On 2017-05-09 at 12:59 BST, Sevan Janiyan wrote:
> > 
> > On 08/05/2017 23:12, J. Lewis Muir wrote:
> > > I don't know if it's the best way, but I think you can make it not use
> > > the native curl by setting the following in mk.conf (i.e., this will
> > > make it use the pkgsrc curl):
> > > 
> > >   TOOLS_PLATFORM.curl=
> > 
> > Indeed that's an option, I was hoping to address the issue out of the
> > box ideally in a systematic manner so you don't have to bump one in the
> > case of a new release of Darwin, that doesn't apply to Linux distros and
> > I'm not sure there's much legacy support in curl itself?
> Trying to do it automatically would be pretty messy, as obviously
> you'd need to use the platform curl to get the new curl and all of its
> dependencies before you can start using the new curl, in which case
> you're already insecure up to that point.  Or you use libfetch in the
> meantime, but that just then gets really complicated from an
> infrastructure point of view.  Then there's also the OpenSSL
> dependency to be considered and whether you use the insecure version
> that is shipped or have to now pull in OpenSSL from pkgsrc and all its
> dependencies, or forego https:// MASTER_SITES support which is
> becoming increasingly common.
> The easiest option would be to do a MACHINE_PLATFORM test in
> mk/tools/ and don't set TOOLS_PLATFORM.curl for older
> platforms.
> I'm not really a fan of doing that though.  You're already running an
> OS which likely has multiple remote exploits that we have no ability
> to fix, so it feels a bit pointless, and will ultimately make things
> harder (and slower) for users to just get pkgsrc going on it.

I agree with this.  Having pkgsrc track security advisories for native
programs on older OSes is a headache not worth importing.  For any OS
that's continuing to receive updates, this problem goes away once you
apply the vendor update.  For ones that are officially "dead" to the
vendor, it's reasonable to have to do the legwork yourself to keep
your outdated OS viable, e.g.:

  - Add an empty TOOLS_PLATFORM.curl to your, and blank
    out any other insecure tools that you don't want to get used by

  - Use PREFER_PKGSRC=yes so that you at least track pkgsrc's updates
    for vulnerabilities.

Johnny C. Lam

Home | Main Index | Thread Index | Old Index