curl-library
Re: Should curl package maintainers enable libidn2 by default or no?
Date: Wed, 1 Nov 2017 01:53:47 -0500
On Oct 31, 2017, at 17:22, Daniel Stenberg wrote:
> On Tue, 31 Oct 2017, Ryan Schmidt wrote:
>
>> Today's curl (7.56.1) automatically enables the use of libidn2, unless explicitly disabled via the --without-libidn2 configure flag.
>>
>> Do I take this to mean that curl with libidn2 is not considered dangerous anymore, and that it is now recommended for package maintainers to ship curl with libidn2 support enabled by default?
>
> Well yes. libidn2 was never vulnerable for this problem so once we added support for that and dropped libidn, we could again support IDN fine in curl. libidn2 is another library than libidn.
>
>> If so, is there a reason for us to give the user a way to disable that support or should we just enable it all the time? (In MacPorts, we prefer to limit user choices to the essentials; we don't expose every configure flag just because it's there.)
>
> No, there's no known security reason to avoid enabling libidn2 in curl builds. For generic curl builds I would recommend building with it so that users can use international domain names in URLs.
Thanks for the clarifications! I've made the change in MacPorts:
https://github.com/macports/macports-ports/commit/8e960042fb486d052e9163b4f2f2a4b76f1c81dd
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-11-01