cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Handle --cacert option on Mac OS X with darwinssl

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 23 Apr 2014 08:30:32 +0200 (CEST)

On Tue, 22 Apr 2014, Nick Zitzmann wrote:

> I've skimmed over it, and I'm reluctant to include it in the next point
> release, mainly because this is a huge change to secure code used by
> millions of people[1], and we've already learned in the past two months how
> a single line in supposedly secure code can cause a huge security hole (see
> "goto fail" and Heartbleed).
>
> We ought to consider this for a future release, though. Thanks for the patch.

Any suggestions on how we'd proceed to merge it? It is right now 231 new lines
of code.

We should consider what test cases we have that would run this code, or
rather what tests we can and should add to increase our chances of detecting
problems.

Also, once we merge it people (on Mac at least) can use clang-analyzer etc to
staticly analyze the code for possible flaws.

> it's a core component of OS X starting in Mavericks

I recognize that and I think it is awesome. But we also can't make that fact
scare us away from doing/adding good stuff. Plus the fact that Apple is in
fact deciding for themselves what to do with their OS and they're more than
welcome to come forward and help us test and improve things!

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-04-23