metalink: remove #7176
Closed
metalink: remove #7176
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Warning: this will make existing curl command lines that use metalink to stop working. Reasons for removal: 1. We've found several security problems and issues involving the metalink support in curl. The issues are not detailed here. When working on those, it become apparent to the team that several of the problems are due to the system design, metalink library API and what the metalink RFC says. They are very hard to fix on the curl side only. 2. The metalink usage with curl was only very briefly documented and was not following the "normal" curl usage pattern in several ways, making it surprising and non-intuitive which could lead to further security issues. 3. The metalink library was last updated 6 years ago and wasn't so active the years before that either. An unmaintained library means there's a security problem waiting to happen. This is probably reason enough. 4. Metalink requires an XML parsing library, which is complex code (even the smaller alternatives) and to this day often gets security updates. 5. Metalink is not a widely used curl feature. In the 2020 curl user survey, only 1.4% of the responders said that they'd are using it. Searching the web also show very few traces of it being used, even with other tools. 6. The torrent format and associated technology clearly won for downloading large files from multiple sources in parallel.
|
I disagree on point 6 though, torrent will never support e2dk or gnunet or ipts unlike MetaLink. But I recognize curl only supports servers protocols and not p2p ones. |
|
Assuming no major obstacle, I will merge this on June 7th. |
|
I would prefer if |
Good idea! |
|
Another idea could be to move metalink support to being an experimental feature (even though experimental generally means moving the other way) requiring an explicit opt-in before removing it. Iff there is an outcry after the release then there is a way for powerusers to keep their systems running while we take the discussion on how to proceed. FWIW, I'm not sure I want this but I wanted to raise it in the discussion before the PR is merged. |
|
I don't think we should merge even an experimental feature with known security problems so they would still need to be worked on first. Power users can just revert this removal to get metalink back with a local patch. If there's a strong enough demand to get it back "for real", I expect developer time to get funded to fix the issues. |
|
On 3 Jun 2021, at 14:44, Daniel Stenberg ***@***.***> wrote:
I don't think we should merge even an experimental feature with known security problems so they would still need to be worked on first.
Power users can just revert this removal to get metalink back with a local patch. If there's a strong enough demand to get it back "for real", I expect developer time to get funded to fix the issues.
Agreed, I mainly wanted the discussion to have covered all angles given how drastic this measure is.
|
|
maybe this has already been discussed here or elsewhere - apologies I have no sense of metalink usage ( I see very few respondents to survey use it) ... adhoc observation is that there is not a lot of adoption ... in the best of worlds (good developer support of exotic feature) my pref would be that said feature would not be part of the core ... considering we have less then good implementation - its a 'no brainer' to deprecate. Alternately is it time to discuss (prob again) how to formalise pluggability beyond obvious routes .. it makes my brain hurt as its so easy to extend curl/libcurl and not warrant inclusion into core repo ... but is it getting to the point where we need more points of extensibility ? |
Perhaps. I don't think this is the last straw that breaks the camel's back though because I don't think it is popular enough. Extensibility, plugins and add-ons are mentioned every once in a while. It's just that nobody has yet even tried to write up a suggestion of how it could work - at any level of ambition - so I think we're still not quite there yet. Personally, I'm casually skeptic because I think both curl and libcurl are what they are partly because they provide feature-packed all-in-one packages. |
bagder
added a commit
that referenced
this pull request
Jun 7, 2021
Warning: this will make existing curl command lines that use metalink to stop working. Reasons for removal: 1. We've found several security problems and issues involving the metalink support in curl. The issues are not detailed here. When working on those, it become apparent to the team that several of the problems are due to the system design, metalink library API and what the metalink RFC says. They are very hard to fix on the curl side only. 2. The metalink usage with curl was only very briefly documented and was not following the "normal" curl usage pattern in several ways, making it surprising and non-intuitive which could lead to further security issues. 3. The metalink library was last updated 6 years ago and wasn't so active the years before that either. An unmaintained library means there's a security problem waiting to happen. This is probably reason enough. 4. Metalink requires an XML parsing library, which is complex code (even the smaller alternatives) and to this day often gets security updates. 5. Metalink is not a widely used curl feature. In the 2020 curl user survey, only 1.4% of the responders said that they'd are using it. In 2021 that number was 1.2%. Searching the web also show very few traces of it being used, even with other tools. 6. The torrent format and associated technology clearly won for downloading large files from multiple sources in parallel. Cloes #7176
|
Closed by 265b14d |
ghost
mentioned this pull request
6 tasks
BrewTestBot
pushed a commit
to Homebrew/homebrew-core
that referenced
this pull request
Jun 8, 2021
See upstream pull request curl/curl#7176 which removes metalink support To build with metalink support is no longer available. Closes #78895. Signed-off-by: Carlo Cabrera <30379873+carlocab@users.noreply.github.com> Signed-off-by: BrewTestBot <1589480+BrewTestBot@users.noreply.github.com>
stewartsmith
pushed a commit
to stewartsmith/fedora-rpms-curl
that referenced
this pull request
Jul 9, 2021
Today curl upstream announced that they are going to completely remove
support for metalink from curl already in the next release of curl due
to a number of difficult to fix security issues:
https://curl.se/mail/archive-2021-06/0006.html
curl/curl#7176
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Apr 25, 2022
Changelog: https://curl.se/changes.html#7_82_0 curl 7.78.0 has not metalink support, see blog post about it [1] and pull request [2]. 1. https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ 2. curl/curl#7176 NO_DOC=libcurl submodule bump NO_CHANGELOG=libcurl submodule bump NO_TEST=libcurl submodule bump Closes: tarantool#6029 Closes: tarantool/security#10
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Apr 25, 2022
Changelog: https://curl.se/changes.html#7_80_0 curl 7.78.0 has not metalink support, see blog post about it [1] and pull request [2]. 1. https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ 2. curl/curl#7176 NO_DOC=libcurl submodule bump NO_CHANGELOG=libcurl submodule bump NO_TEST=libcurl submodule bump Closes: tarantool#6029 Closes: tarantool/security#10
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Apr 25, 2022
Changelog: https://curl.se/changes.html#7_80_0 curl 7.78.0 has not metalink support, see blog post about it [1] and pull request [2]. 1. https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ 2. curl/curl#7176 NO_DOC=libcurl submodule bump NO_CHANGELOG=libcurl submodule bump NO_TEST=libcurl submodule bump Closes: tarantool#6029 Closes: tarantool/security#10
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Apr 25, 2022
Changelog: https://curl.se/changes.html#7_80_0 - curl 7.78.0 has not metalink support, see blog post about it [1] and pull request [2]. - libcurl build requires autotools, added required packages to .travis.mk 1. https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ 2. curl/curl#7176 NO_DOC=libcurl submodule bump NO_CHANGELOG=libcurl submodule bump NO_TEST=libcurl submodule bump Closes: tarantool#6029 Closes: tarantool/security#10
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Apr 25, 2022
Changelog: https://curl.se/changes.html#7_80_0 - curl 7.78.0 has not metalink support, see blog post about it [1] and pull request [2]. - libcurl build requires autotools, added required packages to .travis.mk 1. https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ 2. curl/curl#7176 NO_DOC=libcurl submodule bump NO_CHANGELOG=libcurl submodule bump NO_TEST=libcurl submodule bump Closes: tarantool#6029 Closes: tarantool/security#10
ligurio
added a commit
to ligurio/tarantool
that referenced
this pull request
Apr 25, 2022
Changelog: https://curl.se/changes.html#7_80_0 - curl 7.78.0 has not metalink support, see blog post about it [1] and pull request [2]. - libcurl build requires autotools, added required packages to .travis.mk NOTE: Job release_asan_clang11 in continuous integration triggers memory leak in Curl_resolv(): 022] # Starting group: http_client.sock_family:"AF_UNIX" [022] Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'> [022] BrokenPipeError: [Errno 32] Broken pipe [022] [022] ================================================================= [022] ==1591052==ERROR: LeakSanitizer: detected memory leaks [022] [022] Indirect leak of 86 byte(s) in 1 object(s) allocated from: [022] #0 0x4a6072 in calloc (/home/ubuntu/actions-runner/_work/tarantool/tarantool/src/tarantool+0x4a6072) [022] tarantool#1 0x990839 in Curl_resolv (/home/ubuntu/actions-runner/_work/tarantool/tarantool/src/tarantool+0x990839) [022] [022] Indirect leak of 74 byte(s) in 1 object(s) allocated from: [022] #0 0x4a6072 in calloc (/home/ubuntu/actions-runner/_work/tarantool/tarantool/src/tarantool+0x4a6072) [022] tarantool#1 0x9907c5 in Curl_resolv (/home/ubuntu/actions-runner/_work/tarantool/tarantool/src/tarantool+0x9907c5) [022] [022] SUMMARY: AddressSanitizer: 160 byte(s) leaked in 2 allocation(s). Memory leak reproduced on default HTTP client and couldn't be reproduced with new clients created by require('http.client'):new(). Function Curl_resolv() has been added LSAN suppression list and new issue was submitted, see [3]. 1. https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ 2. curl/curl#7176 3. tarantool#7080 NO_DOC=libcurl submodule bump NO_CHANGELOG=libcurl submodule bump NO_TEST=libcurl submodule bump Closes: tarantool#6029 Closes: tarantool/security#10
kyukhin
pushed a commit
to tarantool/tarantool
that referenced
this pull request
Apr 25, 2022
Changelog: https://curl.se/changes.html#7_80_0 - curl 7.78.0 has not metalink support, see blog post about it [1] and pull request [2]. - libcurl build requires autotools, added required packages to .travis.mk NOTE: Job release_asan_clang11 in continuous integration triggers memory leak in Curl_resolv(): 022] # Starting group: http_client.sock_family:"AF_UNIX" [022] Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'> [022] BrokenPipeError: [Errno 32] Broken pipe [022] [022] ================================================================= [022] ==1591052==ERROR: LeakSanitizer: detected memory leaks [022] [022] Indirect leak of 86 byte(s) in 1 object(s) allocated from: [022] #0 0x4a6072 in calloc (/home/ubuntu/actions-runner/_work/tarantool/tarantool/src/tarantool+0x4a6072) [022] #1 0x990839 in Curl_resolv (/home/ubuntu/actions-runner/_work/tarantool/tarantool/src/tarantool+0x990839) [022] [022] Indirect leak of 74 byte(s) in 1 object(s) allocated from: [022] #0 0x4a6072 in calloc (/home/ubuntu/actions-runner/_work/tarantool/tarantool/src/tarantool+0x4a6072) [022] #1 0x9907c5 in Curl_resolv (/home/ubuntu/actions-runner/_work/tarantool/tarantool/src/tarantool+0x9907c5) [022] [022] SUMMARY: AddressSanitizer: 160 byte(s) leaked in 2 allocation(s). Memory leak reproduced on default HTTP client and couldn't be reproduced with new clients created by require('http.client'):new(). Function Curl_resolv() has been added LSAN suppression list and new issue was submitted, see [3]. 1. https://daniel.haxx.se/blog/2021/06/07/bye-bye-metalink-in-curl/ 2. curl/curl#7176 3. #7080 NO_DOC=libcurl submodule bump NO_CHANGELOG=libcurl submodule bump NO_TEST=libcurl submodule bump Closes: #6029 Closes: https://github.com/tarantool/security/issues/10
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Warning: this will make existing curl command lines that use metalink to
stop working.
Reasons for removal:
We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.
The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.
The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.
Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.
Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using
it. Searching the web also show very few traces of it being used,
even with other tools.
The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.