Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#55933 closed enhancement (fixed)

Use MacPorts Subversion when fetch.type svn on OS X El Capitan and earlier

Reported by: ryandesign (Ryan Schmidt) Owned by: ryandesign (Ryan Schmidt)
Priority: Normal Milestone: MacPorts 2.4.4
Component: base Version:
Keywords: Cc:
Port:

Description

MacPorts base currently adds a port:subversion dependency only on Mac OS X Tiger, because Tiger didn't include an svn binary. On Leopard and later, it adds the dependency bin:svn:subversion on the assumption that the Apple-provided svn binary is sufficient. See [4456efc3907271a348313567a82eb5e2c50e8ba4/macports-base].

Ideally, ports that use fetch.type svn should use an https URL to the repository. But recently SourceForge has disabled support for older SSL protocols, such that the version of svn included in OS X El Capitan and earlier can no longer connect to it. I suggest we add the port:subversion dependency, and use the MacPorts version of svn, on El Capitan and earlier.

Other alternatives, such as fetching using an http or svn URL, don't work well. Using the svn protocol is problematic, because it uses a less common port number which some network firewalls block access to. Fetching using http is problematic, because http proxies can become confused by the additional WebDAV http verbs Subversion uses.

Change History (18)

comment:1 Changed 3 years ago by mf2k (Frank Schima)

Yes, please just add a dependency on Macports subversion for older OSes. Reducing the security for everyone, by using http instead of https, for legacy support is not acceptable in my mind.

comment:2 Changed 3 years ago by ryandesign (Ryan Schmidt)

Milestone: MacPorts Future

comment:3 Changed 3 years ago by ryandesign (Ryan Schmidt)

Owner: set to ryandesign
Resolution: fixed
Status: newclosed

In 8a3b73d263af3da6ad319a84f6bd163c69320cbe/macports-base:

Use MacPorts svn on El Capitan and earlier

Closes: #55933

comment:4 Changed 3 years ago by ryandesign (Ryan Schmidt)

comment:5 Changed 3 years ago by ryandesign (Ryan Schmidt)

In 62e07cae09eedfbb9d13a92373e512ed14c04591/macports-base:

portfetch.tcl: Depend on port:subversion on 10.11 and earlier

See: #55933

comment:6 Changed 3 years ago by jmroot (Joshua Root)

This change broke the svn-and-patchsites test on 10.6 through 10.11.

comment:7 Changed 3 years ago by neverpanic (Clemens Lang)

Milestone: MacPorts FutureMacPorts 2.5.0

comment:8 Changed 3 years ago by neverpanic (Clemens Lang)

Milestone: MacPorts 2.5.0MacPorts Future

comment:9 Changed 3 years ago by jmroot (Joshua Root)

Milestone: MacPorts FutureMacPorts 2.5.0

comment:10 in reply to:  6 Changed 3 years ago by ryandesign (Ryan Schmidt)

Replying to jmroot:

This change broke the svn-and-patchsites test on 10.6 through 10.11.

I think Clemens fixed that in [ea77eb50b06f009629afb95321f0d5cd932c070b/macports-base].

comment:11 in reply to:  1 ; Changed 3 years ago by jmroot (Joshua Root)

Replying to mf2k:

Yes, please just add a dependency on Macports subversion for older OSes. Reducing the security for everyone, by using http instead of https, for legacy support is not acceptable in my mind.

Given that we use --trust-server-cert with svn it's not like it's secure in the first place…

comment:12 in reply to:  11 Changed 3 years ago by mf2k (Frank Schima)

Replying to jmroot:

Given that we use --trust-server-cert with svn it's not like it's secure in the first place…

That's a different issue. Using https is generally accepted best practice for website security and ensuring a valid download.

I won't ask why we do that but it should probably be addressed in another ticket/discussion. If it is needed for a few misconfigured servers, then we should include a non-default option to --trust-server-cert for those servers only. Something like:

svn.trust_server_cert  yes

comment:13 Changed 3 years ago by mf2k (Frank Schima)

Checking the guide, we already have this which (it says) defaults to no.

fetch.ignore_sslcert    yes

comment:14 in reply to:  13 Changed 3 years ago by ryandesign (Ryan Schmidt)

Replying to mf2k:

Checking the guide, we already have this which (it says) defaults to no.

fetch.ignore_sslcert    yes

But it is only used when fetch.type is standard.

Rainer has already removed --trust-server-cert in his vcs-fetch branch; see 704ae4d4a819911df506df6093f94fe4467a049b/macports-base. Hopefully that can be merged to master at some point.

Let's stop the discussion here now, since this ticket is closed.

comment:15 Changed 3 years ago by ryandesign (Ryan Schmidt)

In 787d284106c8477d724045c6479f7b07208a845a/macports-base:

Use MacPorts svn on El Capitan and earlier

Closes: #55933
(cherry picked from commit 8a3b73d263af3da6ad319a84f6bd163c69320cbe)

comment:16 Changed 3 years ago by ryandesign (Ryan Schmidt)

In 3f1d0f2f76945a0c6c4c45eb2b03e7bc285a84df/macports-base:

Improve wording of comment

See: #55933
(cherry picked from commit c8fd1a309845eca48b9d265ce87eac56f3ded289)

comment:17 Changed 3 years ago by ryandesign (Ryan Schmidt)

In 5233e5d6ddf725232ed0a5380be2dbce0a41861c/macports-base:

portfetch.tcl: Depend on port:subversion on 10.11 and earlier

See: #55933
(cherry picked from commit 62e07cae09eedfbb9d13a92373e512ed14c04591)

comment:18 Changed 3 years ago by ryandesign (Ryan Schmidt)

Milestone: MacPorts 2.5.0MacPorts 2.4.4
Note: See TracTickets for help on using tickets.