cURL / Mailing Lists / curl-library / Single Mail


Re: "The Most Dangerous Code in the World"

From: Alessandro Ghedini <>
Date: Mon, 29 Oct 2012 21:43:09 +0100

On lun, ott 29, 2012 at 08:04:32 +0100, Daniel Stenberg wrote:
> On Sun, 28 Oct 2012, Alessandro Ghedini wrote:
> >The problem, from my "Debian maintainer of curl" point of view, is
> >that I cannot upload a new curl version knowing that it will break
> >something hoping that someone, some day will notice the breakage.
> Yes you can.
> I'm a Debian user myself, and I wouldn't want one of my applications
> unknowingly to me be insecure where claimed otherwise - which is
> basically what the value of 1 means.
> And with this change, if something breaks, it is most likely to
> point out a problem with the application than actually breaking a
> working feature.

I'm not saying just ignore the problem, only that *before* making the change, at
least in Debian, I'd feel more comfortable to know in advance which particular
packages will be affected and fix them or whatever.

Anyway, I just run a quick grep on all the sources of the packages that build
depend on libcurl and those that explicitly set CURLOPT_SSL_VERIFYPEER are very
few, even less those that set it to 1 (possibily 5-6). This said I still have to
check those that use php5-curl, pycurl, ... (but there aren't many).

So, overall I think the impact of the change could be much lower than I thought
and the testing/fixing part won't take very much (I hope).


perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

List admin:

Received on 2012-10-29