curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: C99

From: Dan Fandrich via curl-library <>
Date: Fri, 23 Sep 2022 00:23:23 -0700

On Thu, Sep 22, 2022 at 10:02:04AM -0500, Kevin R. Bulgrien via curl-library wrote:
> By advocating for "our responsibility" to avoid backwards compatibility
> because it "promotes irresponsibility", comes off to some of us as, well,
> so sad to be you, a responsible person, because we are going to rip away
> your ability to be responsible, because we despise the actions of others
> and because it makes our lives easier. Mind you, having done these hard
> things, I appreciate making lives easier, but I also greatly appreciate
> the additional effort by others to make my life easier too.

I'm glad that my C89 fixes to curl (as well as those of countless other
contributors) have helped over the years, as they also helped me, but it's not
the 20th century any more. Sorry, you're not entitled to a free program that
meets your every need indefinitely into the future. Most curl developers do
this work on curl not because they have to, but because they want to. 24 years
ago, they wanted to (perhaps by default) maintain compatibility with a 9 year
old language standard. Today, there are fewer who want to maintain
compatibility with a 33 year old language.

> So essentially, if I follow the logic here, I am actually, an irresponsible
> person because I have empowered someone to continue to run an old system -
> as if I was irresponsible myself, even though, by doing what I am, there
> has been a reduction in potential negative impact of a decision I have no
> ultimate control over. So, yeah, I don't want any part of that kind of
> thinking. I actually doubt that is what was intended, but that is how it
> reads.

If an ancient system you're working, despite the hard effort you're putting in
to make it secure, gets hacked, added to a botnet then DDoSes one of my
servers, then yes, you bear a part of the responsibility for allowing that
foreseeable result to happen. I maintain it's impossible to harden a ancient,
closed-source system to make it impervious to attack. It's awfully hard to do
so in a modern, open-source system, but you can at least get a lot closer, a
lot easier. And arguing that you're only following the orders of your employer
to do so doesn't absolve you.

But, this isn't the only or even the main reason to drop C89 support. Please
don't fixate on it.

> Please don't accuse someone that
> patched libssh2, openssl 3.0.3, submitted patches to curl, and made this
> thing, of actually being irresponsible for doing so without first engaging
> at a level that can help you see what kind of person I actually am and what
> I actually do with respect to placing pressure toward or away from good.

I don't know you I don't recall looking at your patches, and I'm not passing
judgement on you or your code. Clearly, you've considered some of the risks of
maintaining legacy systems on the Internet already. My main point is that
there's comes a time to raise the bar for the minimal system that a modern curl
needs to run on and that making extra effort to help the few legacy legacy
systems out there is no longer worthwhile.

Received on 2022-09-23