Ticket #60556: installing a bootstrap version of MacPorts and using it for modern SSL.txt

Installing MacPorts with updated security:

By default, MacPorts will install using the libraries and headers that come with your OS, in /usr/include and /usr/lib. However, on older systems these libraries have not been updated in some time, and now many https websites that distribute source code and binaries have enabled security features that these older libraries cannot manage. This causes failures during the "fetch" stage of ports, often with a message involving a "TLS" error to indicate the unsupported security protocols.

To upgrade your MacPorts installation on older systems to have modern security, and therefore access these https sites without troubles, you can reinstall MacPorts, building against newer dependencies. A simple way to do that is to use a second "bootstrap" installation of MacPorts to install the needed dependencies for you.

Note: this takes longer to read than to actually accomplish, as it has been described very fully here to try to avoid any misunderstandings.


Part 1:

Installing a bootstrap installation of MacPorts:

First, make sure you are not working with your previously installed version of MacPorts, if there is one. To do this:

edit ~/.profile

and disable the added PATH settings that pointed to MacPorts in /opt/local by commenting the line out with a hashtag, and then add a new PATH setting for what will be your new MacPorts installation in /opt/bootstrap (which may not yet exist, but that's OK):

#export PATH="/opt/local/bin:/opt/local/sbin:$PATH"
export PATH="/opt/bootstrap/bin:/opt/bootstrap/sbin:$PATH"

close and reopen the Terminal window to pick up the new settings.


Now go to a suitable directory, download, extract, and configure MacPorts with configure settings appropriate to the bootstrap installation. You will need to set the prefix to /opt/bootstrap, make sure that any ports that install bits into the Applications directory don't overwrite the ones you install with your primary MacPorts installation by placing the Applications directory somewhere safe, and you also don't want to add any startupitems that might interfere with your primary MacPorts installation:

./configure --prefix=/opt/bootstrap --with-applications-dir=/opt/bootstrap/Applications --without-startupitems && make && sudo make install

After installation, on 10.4 to 10.8, to set up the bootstrap version of MacPorts appropriately:

edit macports.conf with your favourite editor, eg:

bbedit /opt/bootstrap/etc/macports/macports.conf

and add this line at the top:

cxx_stdlib              libstdc++

Forcing cxx_stdlib to libstdc++ not only simplifies the bootstrap installation significantly, but it also prevents the bootstrap installation from accidentally overwriting /usr/lib/libc++.dylib.

Now check to make sure all is well:

$ which port
/opt/bootstrap/bin/port

$ port -v
MacPorts 2.6.2
Entering shell mode... ("help" for help, "quit" to quit)

and "quit".

2.6.2 is current at that time of this writing.

Next, use this bootstrap installation to install the updated dependencies that your primary MacPorts installation will use:

sudo port -v sync
sudo port -v install curl

This will pull in the other needed packages your primary MacPorts installation will use to have modern security. On Tiger, you will also pull in the apple-gcc42 compiler installation, which proceeds smoothly but unfortunately does add both time and bulk to the bootstrap installation. There are ways to work around this, but not simply described here, so I suggest just let it play out.

Maintenance of the bootstrap repo:

From time to time (at least every three months) you should update the bootstrap installation. To do this:

again edit your path in ~/.profile (helps keep things straight):

#export PATH="/opt/local/bin:/opt/local/sbin:$PATH"
export PATH="/opt/bootstrap/bin:/opt/bootstrap/sbin:$PATH"

close and reopen a Terminal window to pick up the new PATH, and then update as usual:

sudo port selfupdate && sudo port -v -N upgrade outdated

You can clean out the older updated ports by running 

sudo port -v reclaim

but I suggest you don't remove the first screenful of unrequested build dependencies you will be presented with, as you will just need them all again next time you update; just remove the deactivated ports and the no-longer-required distfiles.

If you are the meticulous sort like I am, you can set all the build dependencies as "requested" and then port reclaim won't suggest to uninstall them for you each the time. The process to do that is described completely in MacPorts' guide:

https://guide.macports.org/chunked/using.common-tasks.html#using.common-tasks.keeplean

Now you have a relatively lean set of current libraries in /opt/bootstrap that your primary MacPorts installation can use to build against.


Part 2:

Installing MacPorts using the updated libraries in /opt/bootstrap.

Now we will install MacPorts using the newer SSL dependencies, and you might as well use the most current sqlite3 as well, as it is there to be used too. You can just overwrite your current MacPorts installation, should there be one...it is not necessary to uninstall MacPorts in /opt/local and reinstall it again.

Now that we're done working with /opt/bootstrap, reset your PATH again:

edit your path in ~/.profile

export PATH="/opt/local/bin:/opt/local/sbin:$PATH"
#export PATH="/opt/bootstrap/bin:/opt/bootstrap/sbin:$PATH"

and then close and reopen a Terminal window to pick up the new PATH settings.

Decompress the MacPorts tarball as usual for a source installation, and then we'll now configure it to use the new libraries. Helpfully, MacPorts has configure arguments available that simplify the process of using the alternate libraries.


./configure --with-curlprefix=/opt/bootstrap --with-sqlite3prefix=/opt/bootstrap && make && sudo make install

IMPORTANT: Once you have installed it in /opt/local, MacPorts will prompt you to run "sudo port -v selfupdate". Before you do that, please note:

MacPorts does not yet have a mechanism to record the configure arguments that were used to invoke it originally. If you run "sudo port -v selfupdate" and a new version of MacPorts is available, it will build with the default arguments and your newer libraries in /opt/bootstrap will be ignored. Until a fix for this gets incorporated into base, you should to do this instead:

sudo port -v sync

This command downloads new Portfiles, but skips upgrading MacPorts. When a new version of MacPorts is released, you will need to use the configure arguments manually at present, to build it from source against your updated libraries.

If you accidentally do run "sudo port -v selfupdate" and install MacPorts with older security, there is no harm done; you can just reinstall right over top of that again from a source tarball.