Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--insecure arg added back #403

Closed

Conversation

AnastasiaSulyagina
Copy link
Contributor

@AnastasiaSulyagina AnastasiaSulyagina commented Jun 27, 2016

Adding this since Homebrew core and Cask are being merged and cask supports <10.6 OS versions.

@tdsmith
Copy link
Contributor

tdsmith commented Jun 27, 2016

I'm not aware of the context here but I think I would prefer not to support systems that can't handle certificate validation in Homebrew/brew.

@tdsmith
Copy link
Contributor

tdsmith commented Jun 27, 2016

-- although I don't want to relitigate something that's already been discussed; have folks already talked about this?

@AnastasiaSulyagina
Copy link
Contributor Author

AnastasiaSulyagina commented Jun 27, 2016

Context was that cask supports OS versions under 10.6 and have the line in utils code
https://github.com/AnastasiaSulyagina/homebrew-cask/blob/master/lib/vendor/homebrew-fork/utils.rb#L40
And as code is to be merged and cask's part to be deleted (as part of #14384 and my summer GSOC project), I added the line back here because it was not supposed to break anything in brew but made cask code work correctly with brew's core.

@AnastasiaSulyagina
Copy link
Contributor Author

Committed wrong piece, sorry.

@tdsmith
Copy link
Contributor

tdsmith commented Jun 27, 2016

I see. I think it's really dangerous to silently disable certificate verification.

Assuming (without checking) that the curl on 10.6 and below is too old to support SNI or TLS 1.2 I think we shouldn't attempt to use it on the modern Internet. If supporting < 10.6 is a firm requirement (and maybe we should push back on that), maybe this is a candidate for vendoring for old systems, à la git and ruby in #404? /cc @xu-cheng @DomT4

If I'm wrong and the problem is just certificates, maybe we bundle the Mozilla certificate bundle from https://curl.haxx.se/docs/caextract.html?

@DomT4
Copy link
Member

DomT4 commented Jun 27, 2016

Yeah, I'd be pretty unhappy to say the least if we stuck this back in. I'm not convinced it was an entirely good idea when we originally tolerated it, I think there's even less of a case for it today.

I'm a little confused how this PR meshes with the 10.6 check in brew.

It's perhaps worth noting that the code for handling curl has deviated pretty significantly from where it was when the Cask forked it, including wholly excluding our newer mechanisms for favouring Homebrew's curl when present on older systems.

We also have added a doctor nag nudging people using <10.9 to install Homebrew's curl, and I've started work on a command to update certificates shipped with openssl, libressl, gnutls etc, particularly (but not exclusively) on older systems.

My PR there is kind of paused at the moment because I managed to end up dumping far too much on my plate at once, but it isn't dead, FWIW.

@AnastasiaSulyagina
Copy link
Contributor Author

AnastasiaSulyagina commented Jun 27, 2016

Ok, did not expect that. It seemed pretty similar to the old state on first glance. Will try to handle this differently.

@DomT4
Copy link
Member

DomT4 commented Jun 27, 2016

I'm not sure of the broader context here, beyond your original comment. For obvious reasons I've been keeping my nose out of other GSoC stuff, beside when directly pinged. If your need to do this is limited to how Homebrew currently uses curl, i.e. for the fetch mechanism, then you shouldn't need to change anything.

10.8 and below users will still be nagged to install Homebrew's curl, should soonish have a way to update certs out-of-band & if we get issues on downloading for those platforms installing our curl will be our first suggestion. FWIW 98% of Homebrew's known userbase is running 10.9 or newer.

If you're planning to piggyback on the existing fetch mechanism no changes should be required to that purely in terms of which curl and why, but please do feel free to elaborate if there's a misunderstanding here.

@MikeMcQuaid
Copy link
Member

Thanks @AnastasiaSulyagina! I agree we probably don't need this. That said, we should eventually aim to have Homebrew/brew be effectively a merge of Tigerbrew and Linuxbrew's core but I agree unconditionally passing --insecure is probably not a good way of doing that. CC @mistydemeo for thoughts here.

@Homebrew Homebrew locked and limited conversation to collaborators May 3, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants