On lun, ott 29, 2012 at 08:04:32 +0100, Daniel Stenberg wrote: > On Sun, 28 Oct 2012, Alessandro Ghedini wrote: > > >The problem, from my "Debian maintainer of curl" point of view, is > >that I cannot upload a new curl version knowing that it will break > >something hoping that someone, some day will notice the breakage. > > Yes you can. > > I'm a Debian user myself, and I wouldn't want one of my applications > unknowingly to me be insecure where claimed otherwise - which is > basically what the value of 1 means. > > And with this change, if something breaks, it is most likely to > point out a problem with the application than actually breaking a > working feature.
I'm not saying just ignore the problem, only that *before* making the change, at
least in Debian, I'd feel more comfortable to know in advance which particular
packages will be affected and fix them or whatever.
Anyway, I just run a quick grep on all the sources of the packages that build
depend on libcurl and those that explicitly set CURLOPT_SSL_VERIFYPEER are very
few, even less those that set it to 1 (possibily 5-6). This said I still have to
check those that use php5-curl, pycurl, ... (but there aren't many).
So, overall I think the impact of the change could be much lower than I thought
and the testing/fixing part won't take very much (I hope).
Cheers
--
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
