Distributions quote of the week
It is really hard for packagers to know what curl features that are used and not used. There simply is no way to find out, besides shipping a version and listening the screams of users in pain when things break. It will also force them into line-drawing decisions such as “only N users seem to use feature Z so let’s keep that in the full package” and figuring out the N number is a fuzzy estimate at best.— Daniel Stenberg
Posted Mar 17, 2022 13:53 UTC (Thu)
by Paf (subscriber, #91811)
[Link] (1 responses)
Is anyone seriously suggesting the curl implementation of *rarely used protocols* is better than the implementation of *commonly used ones*? This is just another measure of the fact that curl is 99% an invisible system component for pulling data via HTTP, HTTPS and perhaps FTP, and 1% an admin protocol wrangler. We find defects in the paths that see use. But it’s madness to suggest that means the other paths are fine.
Posted Mar 18, 2022 9:56 UTC (Fri)
by bagder (guest, #38414)
[Link]
(I am Daniel, quoted above)
I never said "why bother" and I wouldn't. The reality is that we find more (security) problems in code we use more. This is just natural and I would expect this is a pattern in most software. There's nothing strange or peculiar about it. But since it is still a reality, I think it is worth highlighting as this proposal is made in the name of security.
> This is just another measure of the fact that curl is 99% an invisible system component for pulling data via HTTP, HTTPS and perhaps FTP, and 1% an admin protocol wrangler.
[Citation needed]
Distributions quote of the week
Distributions quote of the week