--insecure arg added back

[AnastasiaSulyagina]

Adding this since Homebrew core and Cask are being merged and cask supports <10.6 OS versions.

[tdsmith]

I'm not aware of the context here but I think I would prefer not to support systems that can't handle certificate validation in Homebrew/brew.

[tdsmith]

-- although I don't want to relitigate something that's already been discussed; have folks already talked about this?

[AnastasiaSulyagina]

Context was that cask supports OS versions under 10.6 and have the line in utils code
https://github.com/AnastasiaSulyagina/homebrew-cask/blob/master/lib/vendor/homebrew-fork/utils.rb#L40
And as code is to be merged and cask's part to be deleted (as part of #14384 and my summer GSOC project), I added the line back here because it was not supposed to break anything in brew but made cask code work correctly with brew's core.

[AnastasiaSulyagina]

Committed wrong piece, sorry.

[tdsmith]

I see. I think it's really dangerous to silently disable certificate verification.

Assuming (without checking) that the curl on 10.6 and below is too old to support SNI or TLS 1.2 I think we shouldn't attempt to use it on the modern Internet. If supporting < 10.6 is a firm requirement (and maybe we should push back on that), maybe this is a candidate for vendoring for old systems, à la git and ruby in #404? /cc @xu-cheng @DomT4

If I'm wrong and the problem is just certificates, maybe we bundle the Mozilla certificate bundle from https://curl.haxx.se/docs/caextract.html?

[DomT4]

Yeah, I'd be pretty unhappy to say the least if we stuck this back in. I'm not convinced it was an entirely good idea when we originally tolerated it, I think there's even less of a case for it today.

I'm a little confused how this PR meshes with the 10.6 check in brew.

It's perhaps worth noting that the code for handling curl has deviated pretty significantly from where it was when the Cask forked it, including wholly excluding our newer mechanisms for favouring Homebrew's curl when present on older systems.

We also have added a doctor nag nudging people using <10.9 to install Homebrew's curl, and I've started work on a command to update certificates shipped with openssl, libressl, gnutls etc, particularly (but not exclusively) on older systems.

My PR there is kind of paused at the moment because I managed to end up dumping far too much on my plate at once, but it isn't dead, FWIW.

[AnastasiaSulyagina]

Ok, did not expect that. It seemed pretty similar to the old state on first glance. Will try to handle this differently.

[DomT4]

I'm not sure of the broader context here, beyond your original comment. For obvious reasons I've been keeping my nose out of other GSoC stuff, beside when directly pinged. If your need to do this is limited to how Homebrew currently uses curl, i.e. for the fetch mechanism, then you shouldn't need to change anything.

10.8 and below users will still be nagged to install Homebrew's curl, should soonish have a way to update certs out-of-band & if we get issues on downloading for those platforms installing our curl will be our first suggestion. FWIW 98% of Homebrew's known userbase is running 10.9 or newer.

If you're planning to piggyback on the existing fetch mechanism no changes should be required to that purely in terms of which curl and why, but please do feel free to elaborate if there's a misunderstanding here.

[MikeMcQuaid]

Thanks @AnastasiaSulyagina! I agree we probably don't need this. That said, we should eventually aim to have Homebrew/brew be effectively a merge of Tigerbrew and Linuxbrew's core but I agree unconditionally passing --insecure is probably not a good way of doing that. CC @mistydemeo for thoughts here.