cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: "The Most Dangerous Code in the World"

From: Dave Reisner <d_at_falconindy.com>
Date: Sun, 28 Oct 2012 14:09:33 -0400

On Sun, Oct 28, 2012 at 07:01:48PM +0100, Alessandro Ghedini wrote:
> On dom, ott 28, 2012 at 06:11:37 +0100, Daniel Stenberg wrote:
> > On Sat, 27 Oct 2012, Alessandro Ghedini wrote:
> >
> > >>See my attached patch that does exactly this. As this *will*
> > >>cause one or two legitimate users get an error I'm very
> > >>interested in further feedback.
> > >
> > >Could this be preceded by a graceful transition period, in which
> > >e.g. libcurl prints a big warning?
> >
> > libcurl can't print any effective warnings. It can show warnings in
> > debug output and it can return errors. I don't see how adding a
> > warning in the debug output will make _any_ user change behavior.
> > These users are already basically doing bad copy and paste
> > programming and I don't think they would notice such a thing.
>
> Yes, I meant debug mode, and thinking about this, it wasn't really a good idea.
>
> > But the point of this change would larger be to CAUSE the problems
> > on purpose since hardly any of the users would actually like this
> > option to be used in production code.
> >
> > The idea is to treat 1 for this option to be a bug and we now fix that bug.
>
> The problem, from my "Debian maintainer of curl" point of view, is that I cannot
> upload a new curl version knowing that it will break something hoping that
> someone, some day will notice the breakage. I have to make sure that the packages
> affected by this change still work (or have them fixed, or at least notify the
> respective maintainers) and this requires time.
>
> Now, I could just not upload the new curl version for days/weeks/months until
> I finish this work which is fine, but it will make Debian's curl version to be
> outdated for a while and I'd like to avoid this. The configure flag would allow
> me to upload new curl versions with this change disabled, and at the same time
> do all the testing needed with a curl with the change enabled.
>
> To make this clear, the change can and should be enabled by default, I just
> would like a way to disable it temporarily on Debian.

As Arch Linux's maintainer of curl, here's my advice:

If you want it disabled, it seems to me to be a no brainer -- revert the
patch that enables it. I don't think this should be an on/off switch
that curl upstream provides. If you're concerned at a _distro_ level
that things will break, then I suggest taking action at the _distro_
level.

> Also, I understand that this may require more maintainance on your part (and
> probably some ugly code) and I won't cry if you just say no, but I want you to
> understand my concern.
>
> Cheers
>
> --
> perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-28