Re: builtin curl - especially on Darwin

[Sevan Janiyan <venture37%geeklan.co.uk@localhost>]

On 05/09/17 15:42, Johnny C. Lam wrote:
> On Tue, May 09, 2017 at 01:18:04PM +0100, Jonathan Perkin wrote:
>> * On 2017-05-09 at 12:59 BST, Sevan Janiyan wrote:
>>> On 08/05/2017 23:12, J. Lewis Muir wrote:
>>>> I don't know if it's the best way, but I think you can make it not use
>>>> the native curl by setting the following in mk.conf (i.e., this will
>>>> make it use the pkgsrc curl):
>>>>
>>>>   TOOLS_PLATFORM.curl=
>>> Indeed that's an option, I was hoping to address the issue out of the
>>> box ideally in a systematic manner so you don't have to bump one in the
>>> case of a new release of Darwin, that doesn't apply to Linux distros and
>>> I'm not sure there's much legacy support in curl itself?
>> Trying to do it automatically would be pretty messy, as obviously
>> you'd need to use the platform curl to get the new curl and all of its
>> dependencies before you can start using the new curl, in which case
>> you're already insecure up to that point.  Or you use libfetch in the
>> meantime, but that just then gets really complicated from an
>> infrastructure point of view.  Then there's also the OpenSSL
>> dependency to be considered and whether you use the insecure version
>> that is shipped or have to now pull in OpenSSL from pkgsrc and all its
>> dependencies, or forego https:// MASTER_SITES support which is
>> becoming increasingly common.
>>
>> The easiest option would be to do a MACHINE_PLATFORM test in
>> mk/tools/tools.Darwin.mk and don't set TOOLS_PLATFORM.curl for older
>> platforms.
>>
>> I'm not really a fan of doing that though.  You're already running an
>> OS which likely has multiple remote exploits that we have no ability
>> to fix, so it feels a bit pointless, and will ultimately make things
>> harder (and slower) for users to just get pkgsrc going on it.
> I agree with this.  Having pkgsrc track security advisories for native
> programs on older OSes is a headache not worth importing.  For any OS
> that's continuing to receive updates, this problem goes away once you
> apply the vendor update.  For ones that are officially "dead" to the
> vendor, it's reasonable to have to do the legwork yourself to keep
> your outdated OS viable, e.g.:
> 
>   - Add an empty TOOLS_PLATFORM.curl to your bsd.prefs.mk, and blank
>     out any other insecure tools that you don't want to get used by
>     pkgsrc.
> 
>   - Use PREFER_PKGSRC=yes so that you at least track pkgsrc's updates
>     for vulnerabilities.

curl is a special case here.
On OS X, of the tools that we make use of (via
mk/tools/tools.Darwin.mk), curl is the only one which is linked to OpenSSL.
We explicitly opt to use OpenSSL from pkgsrc by default on Darwin (via
mk/platforms/Darwin.mk). In the current scenario we have a situation
where you are making use of the system OpenSSL despite opting to prefer
pkgsrc OpenSSL.

I appreciate the concern about longer bootstrap times, it takes around
45minutes at the moment to bootstrap on a G4 Mac Mini, I'm happy to have
a slightly longer bootstrap time for security. :)


Sevan