Re: provide latest OS root certificates via port?

[Bill Cole]

On 2021-10-29 at 11:17:52 UTC-0400 (Fri, 29 Oct 2021 11:17:52 -0400 
(EDT))
Richard Bonomo TDS personal <bon...@tds.net>
is rumored to have said:
I don't know what to think about MacPorts, specifically, providing
new certificates, but, pertaining to some of the arguments presented
against doing this on old Macs generally, it must be kept in mind
that some of us --
including yours truly --
have Apple computers that
CANNOT use newer operating systems or browsers.  Sometimes, one has
to work with what one has.

Sure, and I am not saying that MP should abandon older systems or that 
you and I and everyone else still running older systems is doing 
anything "wrong" but simply that it is risky and cannot be safe without 
the recognition that you have to understand and manage your risks 
without vendor support.

Some people have expressed more judgmental views here in the past, 
arguing that older Macs should be relegated to running other, free OSs 
that have active security maintenance and suggesting that MP deprecate 
MacOS versions no longer supported by Apple. I'm NOT saying that, but 
rather that users should understand their risks and MP should not take 
on the doomed task of de facto trying to maintain OS versions which are 
by any reasonable definition obsolete. The norm for MP has been to offer 
parallel tools to those in the OS (e.g. current packages that match what 
Apple used to include in Server) and leave the issue of whether & how to 
user them to actually replace Apple's tools up to the user.




----- Original Message -----
From: "Bill Cole" <macportsusers-20171...@billmail.scconsult.com>
To: "macports-users Users" <macports-users@lists.macports.org>
Sent: Friday, October 29, 2021 10:09:45 AM
Subject: Re: provide latest OS root certificates via port?

On 2021-10-29 at 07:23:38 UTC-0400 (Fri, 29 Oct 2021 07:23:38 -0400)
Richard L. Hamilton <rlha...@smart.net>
is rumored to have said:

You're (probably - seems plausible but I haven't verified it myself)
right that that's annoying and fixable.

But there's a big reason to think carefully about whether to do that.
If something is old enough that it isn't receiving certificate
updates, it probably isn't receiving security updates either. And the
same applications and functionality that need current root
certificates to work are also likely to be common attack points.

So at the very least, anything that makes it easier to take such a
risk should come with a prominent warning, IMO.

Yes: Anyone running Mojave or earlier is not exactly skydiving without 
a
parachute, but is doing something close. Perhaps it's akin to 
skydiving
with a homemade parachute...

Frankly, I don't think MacPorts should attempt to 'fix' this issue or
similar future issues diretly, not because it encourages risky 
behavior
but because MacPorts should avoid poking around in the MacOS base at 
all
where it isn't essential for the operation of MacPorts. It's easy 
enough
in principle for MacPorts to stand up and use its own modern OSS-based
encryption+PKI stack with its own set of trusted CAs (e.g.
curl-ca-bundle and openssl ports) and so keep itself functional 
without
poking around in core functionality of the OS that MacPorts-naive 
tools
need to use. People who need to fix the problem of an expired root 
cert
should be able to understand and repair that problem (which can be 
done
without digging a CA bundle out of a newer system) if they need to, 
and
having the issue unaddressed is not itself a security issue, but a
functionality issue. Anyone who actually wants to run Safari & Chrome 
on
an OS that isn't getting basic security maintenance should be thinking
very carefully about what they are doing and accept responsibility for
making something work which arguably should no longer work because it 
is
too risky.

One risk for MacPorts is a slippery slope created by providing support
for antique OS versions that include opaque proprietary bits that are
probably insecure in ways that no one fully understands. If it is 
taken
too far (which in my opinion includes fixing core components like PKI)
MP would be doing a disservice to users who understandably expect a
"Just Works" experience on a Mac by enabling the continued use of 
tools
that could well have permanent unrecognized and mostly invisible
security flaws.


On Oct 29, 2021, at 07:12, René J.V. Bertin <rjvber...@gmail.com>
wrote:

Hi,

Users of older Apple OSes that are no longer receiving updates
probably noticed that Safari and Chrome-based browsers no longer
connect to lots of sites because a crucial root certificate has
expired.

Answer 1 to
https://apple.stackexchange.com/questions/422332/how-do-i-update-my-root-certificates-on-an-older-version-of-mac-os-e-g-el-capi
provides an easy solution, but you need access to an up-to-date OS
install.

These are not proprietary to Apple so I presume it should be 
possible
to provide the suggested `rootcerts.pem` file via a port - possibly
even install it in the post-activate. I had a look but couldn't find
if such a port already exists. I think it'd help for lots of
people... I'd propose a draft but I'm running 10.9 ... so thanks to
anyone picking this up!

R.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire