Wait so without the option it checks against the system trust store and with the option it does exactly the same (but may also includes an additional CA if that was passed as the argument)?
This should be a cve. There is a security feature. It does not work as documented. That’s a vulnerability. That should get a cve.
OpenBSD forked OpenSSL due to HeartBleed. OpenBSD developers are generally regarded as quite on top of their game when it comes to security, so why the “still using LibreSSL” FUD?
TL;DR? > The problem is strictly speaking not even in curl code. It comes with the version of LibreSSL that Apple ships and builds curl to use on their platforms.
But because they’re Apple (right next to the Pope, for infallibility), they know best; same old story, rinse’n’repeat.
Really liked their stuff back in the day. Now? It’s another walled garden they scrabble to maintain.
Apple adheres to the principle of form over function, instead of the old but still valid form follows function design principle. But TBH I never liked their stuff or their over the top big cheese attitude. So it’s not a disgruntled apple user writing this.
Probably so, but Apple is the only one I’ve encountered actually using it. The whole point is it’s supposed to be backwards compatible and it’s just not
If you meant that they’ve dropped plenty of openssl functionality - well, the whole purpose of the fork was to refactor it into something less scary. And since it was done by OpenBSD people - they have their own approach, not always culturally compatible with enterprise usage.
La AI no es más que la más reciente expresión de la “carrera hacia el fondo” del capitalismo. Puede (puede) ser que ayude… cuando ya ha arruinado a todos los demás.
That’s a very, very good read on how to make a very complex C project safer in practice. To sum-up: make it possible to introduce new module in a memory safe language (Rust in this case), make it harder to write bugs in C since the C part is not going to disappear overnight, and use as much tooling as you can to find any existing or newly introduced bugs (both memory bugs a logique error).
He brings up the “just rewrite in rust” argument. Curious as I am, I had a look and only found a single project that actually tried it github.com/TogarashiPepper/curl
When cross-posted >= 2, should go to a dedicated page like Reddit has had for a very long time… and allow easy viewing of who posted, date, number of comments, date of last comment, votes, etc.
daniel.haxx.se
Hot