#55933 closed enhancement (fixed)
Use MacPorts Subversion when fetch.type svn on OS X El Capitan and earlier
Reported by: | ryandesign (Ryan Carsten Schmidt) | Owned by: | ryandesign (Ryan Carsten Schmidt) |
---|---|---|---|
Priority: | Normal | Milestone: | MacPorts 2.4.4 |
Component: | base | Version: | |
Keywords: | Cc: | ||
Port: |
Description
MacPorts base currently adds a port:subversion
dependency only on Mac OS X Tiger, because Tiger didn't include an svn
binary. On Leopard and later, it adds the dependency bin:svn:subversion
on the assumption that the Apple-provided svn
binary is sufficient. See [4456efc3907271a348313567a82eb5e2c50e8ba4/macports-base].
Ideally, ports that use fetch.type svn
should use an https URL to the repository. But recently SourceForge has disabled support for older SSL protocols, such that the version of svn
included in OS X El Capitan and earlier can no longer connect to it. I suggest we add the port:subversion
dependency, and use the MacPorts version of svn
, on El Capitan and earlier.
Other alternatives, such as fetching using an http or svn URL, don't work well. Using the svn protocol is problematic, because it uses a less common port number which some network firewalls block access to. Fetching using http is problematic, because http proxies can become confused by the additional WebDAV http verbs Subversion uses.
Change History (18)
comment:1 follow-up: 11 Changed 7 years ago by mf2k (Frank Schima)
comment:2 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
Milestone: | → MacPorts Future |
---|
comment:3 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
Owner: | set to ryandesign |
---|---|
Resolution: | → fixed |
Status: | new → closed |
comment:4 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
comment:5 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
comment:6 follow-up: 10 Changed 7 years ago by jmroot (Joshua Root)
This change broke the svn-and-patchsites test on 10.6 through 10.11.
comment:7 Changed 7 years ago by neverpanic (Clemens Lang)
Milestone: | MacPorts Future → MacPorts 2.5.0 |
---|
comment:8 Changed 7 years ago by neverpanic (Clemens Lang)
Milestone: | MacPorts 2.5.0 → MacPorts Future |
---|
comment:9 Changed 7 years ago by jmroot (Joshua Root)
Milestone: | MacPorts Future → MacPorts 2.5.0 |
---|
comment:10 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to jmroot:
This change broke the svn-and-patchsites test on 10.6 through 10.11.
I think Clemens fixed that in [ea77eb50b06f009629afb95321f0d5cd932c070b/macports-base].
comment:11 follow-up: 12 Changed 7 years ago by jmroot (Joshua Root)
Replying to mf2k:
Yes, please just add a dependency on Macports subversion for older OSes. Reducing the security for everyone, by using http instead of https, for legacy support is not acceptable in my mind.
Given that we use --trust-server-cert
with svn it's not like it's secure in the first place…
comment:12 Changed 7 years ago by mf2k (Frank Schima)
Replying to jmroot:
Given that we use
--trust-server-cert
with svn it's not like it's secure in the first place…
That's a different issue. Using https is generally accepted best practice for website security and ensuring a valid download.
I won't ask why we do that but it should probably be addressed in another ticket/discussion. If it is needed for a few misconfigured servers, then we should include a non-default option to --trust-server-cert
for those servers only. Something like:
svn.trust_server_cert yes
comment:13 follow-up: 14 Changed 7 years ago by mf2k (Frank Schima)
Checking the guide, we already have this which (it says) defaults to no.
fetch.ignore_sslcert yes
comment:14 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to mf2k:
Checking the guide, we already have this which (it says) defaults to no.
fetch.ignore_sslcert yes
But it is only used when fetch.type
is standard
.
Rainer has already removed --trust-server-cert
in his vcs-fetch branch; see 704ae4d4a819911df506df6093f94fe4467a049b/macports-base. Hopefully that can be merged to master at some point.
Let's stop the discussion here now, since this ticket is closed.
comment:15 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
comment:16 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
comment:17 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
comment:18 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
Milestone: | MacPorts 2.5.0 → MacPorts 2.4.4 |
---|
Yes, please just add a dependency on Macports subversion for older OSes. Reducing the security for everyone, by using http instead of https, for legacy support is not acceptable in my mind.