On Thu, May 19, 2022 at 12:23:03PM +0200, TheAssassin via curl-library wrote: > I don't see why a user would add that path. If a user would compile libcurl > with /etc/motd as the main CA certificate bundle path at the moment, > unexpected behavior will occur as well. It is the job of the developer who > generates the libcurl binary to provide proper paths.
I'm just using that as an example. /tmp/something would be even worse example. The developer is definitely responsible for choosing something sane. > Whether you support one bundle or multiple bundles doesn't make a big > difference. The proposed paths are all in read-only, root-writable > locations, as per the FHS. Only distributions which ignore this standard > could maybe be affected by such an issue. But then again, the existing > single CA bundle path may be writable as well. Using it in the way you describe should be fine. I'm just thinking about ways a naive developer could misuse the feature. Dan -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
