On Apr 22, 2014, at 23:30, Daniel Stenberg <[email protected]> wrote: > On Tue, 22 Apr 2014, Nick Zitzmann wrote: > >> I've skimmed over it, and I'm reluctant to include it in the next point >> release, mainly because this is a huge change to secure code used by >> millions of people[1], and we've already learned in the past two months how >> a single line in supposedly secure code can cause a huge security hole (see >> "goto fail" and Heartbleed). >> >> We ought to consider this for a future release, though. Thanks for the patch. > > Any suggestions on how we'd proceed to merge it? It is right now 231 new > lines of code. > > We should consider what test cases we have that would run this code, or > rather what tests we can and should add to increase our chances of detecting > problems. > > Also, once we merge it people (on Mac at least) can use clang-analyzer etc to > staticly analyze the code for possible flaws. > >> it's a core component of OS X starting in Mavericks > > I recognize that and I think it is awesome. But we also can't make that fact > scare us away from doing/adding good stuff. Plus the fact that Apple is in > fact deciding for themselves what to do with their OS and they're more than > welcome to come forward and help us test and improve things!
Indeed - curl is widely used around the world; I certainly wouldn't shy away from implementing new things just because Apple is using it too. curl has been an extremely reliable piece of software over the years, and I have no doubt that will continue to be the case. The patch looks reasonable to me. Given that it is functionality that currently doesn't work at all, I don't see the harm - as long as it isn't falsely verifying certificates. I'm happy to test changes like this, time permitting. - Toby (curl maintainer at Apple) > > -- > > / daniel.haxx.se > ------------------------------------------------------------------- > List admin: http://cool.haxx.se/list/listinfo/curl-library > Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
