curl-library
Should curl package maintainers enable libidn2 by default or no?
Date: Tue, 31 Oct 2017 17:06:41 -0500
Hi, I maintain curl in MacPorts.
We used to build curl with libidn 1.x support enabled all the time. We stopped doing that when the curl version was 7.43.0 in June 2015 in response to this post from Daniel which said doing so represented a security vulnerability:
https://curl.haxx.se/mail/lib-2015-06/0143.html
The post concluded with the recommendation:
> Rebuild libcurl with libidn support disabled.
>
> Starting now, libcurl will build with libidn disabled by default until
> this situation has been changed to satisfaction.
Today's curl (7.56.1) automatically enables the use of libidn2, unless explicitly disabled via the --without-libidn2 configure flag.
Do I take this to mean that curl with libidn2 is not considered dangerous anymore, and that it is now recommended for package maintainers to ship curl with libidn2 support enabled by default? If so, is there a reason for us to give the user a way to disable that support or should we just enable it all the time? (In MacPorts, we prefer to limit user choices to the essentials; we don't expose every configure flag just because it's there.)
I did search the mailing list archives and found some posts about libidn2 after June 2015; apologies if I missed an existing answer to this question.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-10-31