Remove curl-ca-bundle

[jacknagel]

This is no longer used, directly or indirectly, by anything in core. I want to discourage its use, since providing an unsigned bundle of certificates and letting users place their trust in it is a poor practice.

The openssl formula provides a cert file that is bootstrapped using certificates from the system keychain. Additional certificates can be added in $(brew --prefix)/etc/openssl/certs, where they will be picked up by openssl. This is a far more reasonable solution.

[jacknagel]

Another thing I'd like to address:

Currently, openssl's post-install step does two things: copy the system certificates to <openssldir>/osx_cert.pem, and then symlink it to <openssldir>/cert.pem.

The second step is skipped if cert.pem exists and is not a symlink. This was done to allow users to use this file to provide their own certs. I want to remove this behavior and recommend that users place custom .pem files in <openssldir>/certs (which openssl will recognize).

[MikeMcQuaid]

Seems good 👍

[chdiza]

curl-ca-bundle is needed on Tigerbrew, I think even when one is using Leopard (if I recall, even Leopard's system certs are too old for some stuff, which makes the openssl trick ineffective). If that's true, then dropping curl-ca-bundle in Homebrew amounts to dropping Leopard. I know that's planned anyway, but maybe not this soon?

[MikeMcQuaid]

Even 10.6 is no longer officially supported, incidentally.

[jacknagel]

As I explained, it's easy to add custom certs to our openssl installation. This formula is a security liability.

Tigerbrew is of course free to keep the formula if that is desired.

[chdiza]

As I explained, it's easy to add custom certs to our openssl installation. This formula is a security liability.

I agree; I'm not arguing against this change, I'm just pointing out a consequence of removing it.