On 02/12, Christoph Egger wrote: > Daniel Stenberg <[email protected]> writes: > > On Thu, 11 Feb 2016, Christoph Egger wrote: > >> +#if LIBCURL_VERSION_NUM >= 0x074400 > > > > That should probably be 0x072c00 ... > > This is, of course, right. > > I used 7.44 / 0x072c00 as base because it has robust support for this > feature (including the sha256// variant). One could lower that depending > on the compromises one is willing to take FWIW > > Added in 7.39.0 for OpenSSL, GnuTLS and GSKit. Added in 7.43.0 for NSS > and wolfSSL/CyaSSL. Added for mbedtls in 7.47.0, sha256 support added > in 7.44.0 for OpenSSL, GnuTLS, NSS and wolfSSL/CyaSSL. Other SSL > backends not supported. > > Also some people suggested that git should fail if this option is > requested in the config but not supported by the libcurl version instead > of falling back to just not pin the key. I'm undecided about that.
This seems to have been suggested off list (or at least I can't find the message). FWIW I do agree with failing or as a bare minimum warning the user if the config option is set, but not supported by the libcurl version. Otherwise we risk giving the user a false sense of security when the option is set, which is arguably worse than not having the security option at all. > Christoph -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
