cURL / Mailing Lists / curl-library / Single Mail


Re: "The Most Dangerous Code in the World"

From: Daniel Stenberg <>
Date: Mon, 29 Oct 2012 20:04:32 +0100 (CET)

On Sun, 28 Oct 2012, Alessandro Ghedini wrote:

> The problem, from my "Debian maintainer of curl" point of view, is that I
> cannot upload a new curl version knowing that it will break something hoping
> that someone, some day will notice the breakage.

Yes you can.

I'm a Debian user myself, and I wouldn't want one of my applications
unknowingly to me be insecure where claimed otherwise - which is basically
what the value of 1 means.

And with this change, if something breaks, it is most likely to point out a
problem with the application than actually breaking a working feature.

> I have to make sure that the packages affected by this change still work (or
> have them fixed, or at least notify the respective maintainers) and this
> requires time.

If they don't claim to be secure (which is fine with me), then they should use
the value 0 as has been discussed the value 1 is not really working the same
way with the different backends so it would already be a problem depending on
which specific libcurl you'd use when the application runs. Alas, this change
would only help you make the problem more visible as it would already exist!

List admin:
Received on 2012-10-29