Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
curl in the next Debian stable (Debian13/trixie)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Carlos Henrique Lima Melara via curl-distros <curl-distros_at_lists.haxx.se>
Date: Sat, 22 Feb 2025 21:27:15 -0300
Hi,
-----
TL;DR: Debian 13 (next stable) will likely be released with curl 8.13.0.
We have to decide on whether to keep building the curl CLI with
GnuTLS (for HTTP/3), and whether to keep building the OpenSSL
libcurl with HTTP/3 (currently experimental and slow).
-----
The new Debian stable release, Debian 13/trixie, is expected to be
released sometime in Q2/Q3 2025, which means we are close to the freeze
period. During the freeze we avoid doing big changes and focus on fixing
bugs, so we are already planning which curl release is going to be
shipped. Our soft freeze will start on 2025-04-15 and we will likely
stick to curl 8.13.0 which is planed to be released in 2025-04-02.
Until the next stable release, during the freeze, we will have to decide
whether to keep the curl CLI linked against GnuTLS (for HTTP/3) and
whether to keep building the OpenSSL libcurl with HTTP/3 (currently
experimental and slow).
This wasn't anounced anywhere, but Debian's OpenSSL libcurl is built
with HTTP/3 support since 8.12.1-1, although the curl CLI still uses the
GnuTLS libcurl.
For the GnuTLS curl CLI, our decision will revolve around the following:
1) Change in behavior for certificates [1]. GnuTLS actually follows the
RFC2818 and doesn't allow IPs in the subjectAltName (Common Name - CN)
field of x509 certificates.
2) cURL not working with some specif pkcs11 URLs with GnuTLS backend [2][3]
3) --ciphers not supported using GnuTLS backend [4][5]
These are all the issues we've identified so far. Our
main concern is not with bugs per-se, but with behavior changes in
situations where OpenSSL might be too relaxed with standards whereas
GnuTLS follow them more strictly (as seem on number 1).
For OpenSSL with HTTP/3 (for libcurl), we will need to understand
whether curl plans to drop support for that in favor of the upcoming
OpenSSL QUIC API. The new OpenSSL release is likely to be shipped in
Debian 13, but I don't expect curl to be using that in time, besides
this OpenSSL feature likely not being mature enough. If support for
HTTP/3 with OpenSSL+nghttp3 will be dropped from curl, in favor of
OpenSSL QUIC, then we should not ship that on Debian.
Cheers,
Charles on behalf of Debian curl maintainers
[1] https://bugs.debian.org/1075859
[2] https://bugs.debian.org/1077060
[3] https://github.com/curl/curl/issues/16249
[4] https://bugs.debian.org/1095981
[5] https://github.com/curl/curl/issues/16341
Date: Sat, 22 Feb 2025 21:27:15 -0300
Hi,
-----
TL;DR: Debian 13 (next stable) will likely be released with curl 8.13.0.
We have to decide on whether to keep building the curl CLI with
GnuTLS (for HTTP/3), and whether to keep building the OpenSSL
libcurl with HTTP/3 (currently experimental and slow).
-----
The new Debian stable release, Debian 13/trixie, is expected to be
released sometime in Q2/Q3 2025, which means we are close to the freeze
period. During the freeze we avoid doing big changes and focus on fixing
bugs, so we are already planning which curl release is going to be
shipped. Our soft freeze will start on 2025-04-15 and we will likely
stick to curl 8.13.0 which is planed to be released in 2025-04-02.
Until the next stable release, during the freeze, we will have to decide
whether to keep the curl CLI linked against GnuTLS (for HTTP/3) and
whether to keep building the OpenSSL libcurl with HTTP/3 (currently
experimental and slow).
This wasn't anounced anywhere, but Debian's OpenSSL libcurl is built
with HTTP/3 support since 8.12.1-1, although the curl CLI still uses the
GnuTLS libcurl.
For the GnuTLS curl CLI, our decision will revolve around the following:
1) Change in behavior for certificates [1]. GnuTLS actually follows the
RFC2818 and doesn't allow IPs in the subjectAltName (Common Name - CN)
field of x509 certificates.
2) cURL not working with some specif pkcs11 URLs with GnuTLS backend [2][3]
3) --ciphers not supported using GnuTLS backend [4][5]
These are all the issues we've identified so far. Our
main concern is not with bugs per-se, but with behavior changes in
situations where OpenSSL might be too relaxed with standards whereas
GnuTLS follow them more strictly (as seem on number 1).
For OpenSSL with HTTP/3 (for libcurl), we will need to understand
whether curl plans to drop support for that in favor of the upcoming
OpenSSL QUIC API. The new OpenSSL release is likely to be shipped in
Debian 13, but I don't expect curl to be using that in time, besides
this OpenSSL feature likely not being mature enough. If support for
HTTP/3 with OpenSSL+nghttp3 will be dropped from curl, in favor of
OpenSSL QUIC, then we should not ship that on Debian.
Cheers,
Charles on behalf of Debian curl maintainers
[1] https://bugs.debian.org/1075859
[2] https://bugs.debian.org/1077060
[3] https://github.com/curl/curl/issues/16249
[4] https://bugs.debian.org/1095981
[5] https://github.com/curl/curl/issues/16341
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-distros Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-02-23