revert setting --insecure
to download ca-certificates
#18800
+7
−27
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
brew style
with your changes locally?brew typecheck
with your changes locally?brew tests
with your changes locally?Previously, adding
--insecure
was necessary for curl to download the ca-certificates .pem file on older macOS versions. At some point since then, the way Homebrew downloads this file was changed in a way that happens to allow stock curl on macOS 10.11 & 10.12 (curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8
) to download it during installation without needing--insecure
.This would have gone unnoticed, except that now adding
--insecure
actively prevents downloading from servers whose certificates rely on SNI because of a quirk of Secure Transport:This doesn't affect macOS 10.13 and later, whose curl uses LibreSSL (
curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0
).Removing the code for adding
--insecure
to download ca-certificates allows fresh installs on macOS 10.11 & 10.12 to work again, which now only need the flag when downloading API *.json files from GitHub.(This also removes a long-forgotten
--insecure
reference in vendor-install.sh.)