#55933 closed enhancement (fixed)
Use MacPorts Subversion when fetch.type svn on OS X El Capitan and earlier
| Reported by: | ryandesign (Ryan Carsten Schmidt) | Owned by: | ryandesign (Ryan Carsten Schmidt) |
|---|---|---|---|
| Priority: | Normal | Milestone: | MacPorts 2.4.4 |
| Component: | base | Version: | |
| Keywords: | Cc: | ||
| Port: |
Description
MacPorts base currently adds a port:subversion dependency only on Mac OS X Tiger, because Tiger didn't include an svn binary. On Leopard and later, it adds the dependency bin:svn:subversion on the assumption that the Apple-provided svn binary is sufficient. See [4456efc3907271a348313567a82eb5e2c50e8ba4/macports-base].
Ideally, ports that use fetch.type svn should use an https URL to the repository. But recently SourceForge has disabled support for older SSL protocols, such that the version of svn included in OS X El Capitan and earlier can no longer connect to it. I suggest we add the port:subversion dependency, and use the MacPorts version of svn, on El Capitan and earlier.
Other alternatives, such as fetching using an http or svn URL, don't work well. Using the svn protocol is problematic, because it uses a less common port number which some network firewalls block access to. Fetching using http is problematic, because http proxies can become confused by the additional WebDAV http verbs Subversion uses.
Change History (18)
comment:1 follow-up: 11 Changed 6 years ago by mf2k (Frank Schima)
comment:2 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
| Milestone: | → MacPorts Future |
|---|
comment:3 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
| Owner: | set to ryandesign |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
comment:4 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
comment:5 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
comment:6 follow-up: 10 Changed 6 years ago by jmroot (Joshua Root)
This change broke the svn-and-patchsites test on 10.6 through 10.11.
comment:7 Changed 6 years ago by neverpanic (Clemens Lang)
| Milestone: | MacPorts Future → MacPorts 2.5.0 |
|---|
comment:8 Changed 6 years ago by neverpanic (Clemens Lang)
| Milestone: | MacPorts 2.5.0 → MacPorts Future |
|---|
comment:9 Changed 6 years ago by jmroot (Joshua Root)
| Milestone: | MacPorts Future → MacPorts 2.5.0 |
|---|
comment:10 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to jmroot:
This change broke the svn-and-patchsites test on 10.6 through 10.11.
I think Clemens fixed that in [ea77eb50b06f009629afb95321f0d5cd932c070b/macports-base].
comment:11 follow-up: 12 Changed 6 years ago by jmroot (Joshua Root)
Replying to mf2k:
Yes, please just add a dependency on Macports subversion for older OSes. Reducing the security for everyone, by using http instead of https, for legacy support is not acceptable in my mind.
Given that we use --trust-server-cert with svn it's not like it's secure in the first place…
comment:12 Changed 6 years ago by mf2k (Frank Schima)
Replying to jmroot:
Given that we use
--trust-server-certwith svn it's not like it's secure in the first place…
That's a different issue. Using https is generally accepted best practice for website security and ensuring a valid download.
I won't ask why we do that but it should probably be addressed in another ticket/discussion. If it is needed for a few misconfigured servers, then we should include a non-default option to --trust-server-cert for those servers only. Something like:
svn.trust_server_cert yes
comment:13 follow-up: 14 Changed 6 years ago by mf2k (Frank Schima)
Checking the guide, we already have this which (it says) defaults to no.
fetch.ignore_sslcert yes
comment:14 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to mf2k:
Checking the guide, we already have this which (it says) defaults to no.
fetch.ignore_sslcert yes
But it is only used when fetch.type is standard.
Rainer has already removed --trust-server-cert in his vcs-fetch branch; see 704ae4d4a819911df506df6093f94fe4467a049b/macports-base. Hopefully that can be merged to master at some point.
Let's stop the discussion here now, since this ticket is closed.
comment:15 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
comment:16 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
comment:17 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
comment:18 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
| Milestone: | MacPorts 2.5.0 → MacPorts 2.4.4 |
|---|
Yes, please just add a dependency on Macports subversion for older OSes. Reducing the security for everyone, by using http instead of https, for legacy support is not acceptable in my mind.