cURL / Mailing Lists / curl-library / Single Mail


Re: "The Most Dangerous Code in the World"

From: Daniel Stenberg <>
Date: Sun, 28 Oct 2012 18:11:37 +0100 (CET)

On Sat, 27 Oct 2012, Alessandro Ghedini wrote:

>> See my attached patch that does exactly this. As this *will* cause one or
>> two legitimate users get an error I'm very interested in further feedback.
> Could this be preceded by a graceful transition period, in which e.g.
> libcurl prints a big warning?

libcurl can't print any effective warnings. It can show warnings in debug
output and it can return errors. I don't see how adding a warning in the debug
output will make _any_ user change behavior. These users are already basically
doing bad copy and paste programming and I don't think they would notice such
a thing.

Gaceful periods for libcurl really won't work very effective. Some of our
users use libcurl versions that are up to ten years old. Some users just
upgrade when necessary and it can take many years between the bumps. Besides,
my first argument would be valid for a grace period as well.

> Or maybe it could be made optional at first (e.g. using a configure flag). I
> don't know about other distributions, but Debian has a lot of packages that
> build depends on libcurl, and testing all of them will surely take a lot of
> time, so having this as optional at first will help testing all the packages
> and at the same time it will avoid preventing updates of curl.

But the point of this change would larger be to CAUSE the problems on purpose
since hardly any of the users would actually like this option to be used in
production code.

The idea is to treat 1 for this option to be a bug and we now fix that bug.

> Also, is there going to be a SONAME bump too?

No. This change will only happen if we agree that it can be done without an
SONAME bump.

List admin:
Received on 2012-10-28