It also handles libcurl-debug escaping into the wild and being silently loaded by applications. And in a multi-user environment, make install would not cause other users pain.
If you really want to use the debug version, e.g. in CI or with a debugger, simply ln (-s) -f them to the standard names.
Anyone who does alias the debug versions to the standard ones has taken an unobvious explicit action and can be assumed to know what they are doing.
The warning in the command tool is also a good idea, though perhaps not on the first line. Perhaps make the version be n.m.o-DEBUG. That would break most version parsers - which is a good thing if this is a mistake, but easy to allow for if a script wants to deal with a debug version.
You also might consider having configure/cmake produce a warning when DEBUG is enabled.
Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 11-Jan-23 08:24, Daniel Stenberg via curl-library wrote:
Hi team,The other day a user submitted an issue that made it obvious to me that they had accidentally and unintionally built a debug-enabled libcurl and might have used that in production unless I had told them about and talked them out of it.A debug-enabled libcurl has debug and test code conditionally built in that makes it unsuitable and unwise to ship and use in production. Some of that test code can be made to act funny or even wrongly, most often controlled by simple environment variables.I was thinking of what we can do to make this less likely to happen without users being aware of exactly what is going on. Perhaps outputting a little warning at the top of the -V/--version output would help?Like this: $ curl -V WARNING: this libcurl is Debug-enabled, do not use in productioncurl 7.87.1-DEV (x86_64-pc-linux-gnu) libcurl/7.87.1-DEV OpenSSL/3.0.7 zlib/1.2.13 brotli/1.0.9 zstd/1.5.2 c-ares/1.18.1 libidn2/2.3.3 libpsl/0.21.0 (+libidn2/2.3.0) nghttp2/1.50.0-DEV ngtcp2/0.13.0-DEV nghttp3/0.9.0-DEV librtmp/2.3 libgsasl/2.2.0Release-Date: [unreleased] ...This warning exists as a pull-request: https://github.com/curl/curl/pull/10278Feel free to comment here or in the PR.
OpenPGP_signature
Description: OpenPGP digital signature
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html