diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-06-01 16:24:00 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-06-07 08:14:25 +0200 |
| commit | 265b14d6b37c4298bd5556fabcbc37d36f911693 (patch) | |
| tree | 3c7ca96bc1ce2e859bfaa71a0d6afcad56c9f9f7 /.cirrus.yml | |
| parent | 9cf516adc67b67388e22bb8c33cb3fabd68f2ac6 (diff) | |
| download | curl-265b14d6b37c4298bd5556fabcbc37d36f911693.tar.gz | |
metalink: remove
Warning: this will make existing curl command lines that use metalink to
stop working.
Reasons for removal:
1. We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.
2. The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.
3. The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.
4. Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.
5. Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using it. In
2021 that number was 1.2%. Searching the web also show very few
traces of it being used, even with other tools.
6. The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.
Cloes #7176
Diffstat (limited to '.cirrus.yml')
| -rw-r--r-- | .cirrus.yml | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/.cirrus.yml b/.cirrus.yml index 8033442e1..33047ba26 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -41,7 +41,7 @@ freebsd_task: pkginstall_script: - pkg update -f - - pkg install -y autoconf automake libtool pkgconf brotli openldap-client heimdal libpsl libmetalink libssh2 openssh-portable libidn2 librtmp libnghttp2 nghttp2 stunnel + - pkg install -y autoconf automake libtool pkgconf brotli openldap-client heimdal libpsl libssh2 openssh-portable libidn2 librtmp libnghttp2 nghttp2 stunnel - case `python -V` in Python?3.7*) pkg install -y py37-impacket ;; Python?2.7*) pkg install -y py27-impacket ;; @@ -56,7 +56,7 @@ freebsd_task: export CXXFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=undefined,integer -Wformat -Werror=format-security -Werror=array-bounds -g"; export LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=undefined,integer" ;; esac - - ./configure --prefix="${HOME}"/install --enable-debug --with-openssl --with-libssh2 --with-brotli --with-gssapi --with-libidn2 --enable-manual --enable-ldap --enable-ldaps --with-librtmp --with-libmetalink --with-libpsl --with-nghttp2 || { tail -300 config.log; false; } + - ./configure --prefix="${HOME}"/install --enable-debug --with-openssl --with-libssh2 --with-brotli --with-gssapi --with-libidn2 --enable-manual --enable-ldap --enable-ldaps --with-librtmp --with-libpsl --with-nghttp2 || { tail -300 config.log; false; } compile_script: - make V=1 && cd tests && make V=1 test_script: |