From: Jeff King <peff@peff.net>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Tom G. Christensen" <tgc@jupiterrise.com>,
"Git Mailing List" <git@vger.kernel.org>,
"Jonathan Nieder" <jrnieder@gmail.com>,
"Todd Zullinger" <tmz@pobox.com>
Subject: Re: [RFC] dropping support for ancient versions of curl
Date: Mon, 10 Apr 2017 14:22:15 -0400 [thread overview]
Message-ID: <20170410182215.figy7hm4sogwipyz@sigill.intra.peff.net> (raw)
In-Reply-To: <alpine.DEB.2.20.1704071257560.4268@virtualbox>
On Fri, Apr 07, 2017 at 01:18:30PM +0200, Johannes Schindelin wrote:
> On Thu, 6 Apr 2017, Jeff King wrote:
>
> > And it's not like people on ancient mission-critical systems get cut
> > off. They can still run the version of Git they were running when their
> > OS went out of support.
>
> You keep baiting me, so I'll bite, after resisting the urge for so long.
I wasn't going to respond to this, because I didn't feel like the
discussion was going anywhere. But I ran across yet another issue
related to this today that hadn't been mentioned yet.
Your story shows that yes, it's convenient when old libraries are
supported. I don't dispute that. But one of my earlier points is that
this isn't just about maintenance burden (which I agree is not huge);
it's about whether we do a disservice to users to pretend that Git is
even remotely tested with older versions of curl.
For instance, did you know that versions of curl prior to v7.17 rely on
any strings fed via curl_easy_setopt() remaining valid for the lifetime
of the curl handle[1]?
We have some workarounds for this in old code (for example, see the
handling of CURLOPT_PASSWORD in http.c), but a lot of calls have been
added since then. I think there's a very good chance there are
use-after-free bugs when Git is compiled against an older curl.
I'm concerned that we're giving users a false sense of what is
reasonable to compile against. You can reframe that as a maintenance
question (we _could_ find and fix those bugs), but that changes the
cost/benefit analysis.
[1] http://public-inbox.org/git/alpine.DEB.2.00.1306180825460.24456@tvnag.unkk.fr/
-Peff
next prev parent reply other threads:[~2017-04-10 18:22 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-04 2:54 [RFC] dropping support for ancient versions of curl Jeff King
2017-04-04 3:08 ` Jeff King
2017-04-04 5:44 ` Jessie Hernandez
2017-04-04 8:17 ` Ævar Arnfjörð Bjarmason
2017-04-04 8:33 ` Jeff King
2017-04-04 10:44 ` Ævar Arnfjörð Bjarmason
2017-04-04 11:54 ` Johannes Schindelin
2017-04-04 14:06 ` Ævar Arnfjörð Bjarmason
2017-04-04 16:53 ` Brandon Williams
2017-04-04 22:46 ` Johannes Schindelin
2017-04-04 23:03 ` Brandon Williams
2017-04-04 23:03 ` Stefan Beller
2017-04-05 8:49 ` Johannes Schindelin
2017-04-05 9:29 ` Jeff King
2017-04-04 20:16 ` Jeff King
2017-04-04 13:32 ` Frank Gevaerts
2017-04-05 9:33 ` Tom G. Christensen
2017-04-05 10:51 ` Ævar Arnfjörð Bjarmason
2017-04-05 13:04 ` [PATCH 0/7] Patches to support older RHEL releases Tom G. Christensen
2017-04-05 13:04 ` [PATCH 1/7] Make NO_PERL_MAKEMAKER behave more like ExtUtils::MakeMaker Tom G. Christensen
2017-04-05 13:04 ` [PATCH 2/7] Install man pages when NO_PERL_MAKEMAKER is used Tom G. Christensen
2017-04-05 13:04 ` [PATCH 3/7] Allow svnrdump_sim.py to be used with Python 2.2 Tom G. Christensen
2017-04-05 13:40 ` Ævar Arnfjörð Bjarmason
2017-04-05 14:36 ` Tom G. Christensen
2017-04-05 13:04 ` [PATCH 4/7] Handle missing HTTP_CONNECTCODE in curl < 7.10.7 Tom G. Christensen
2017-04-05 13:50 ` Ævar Arnfjörð Bjarmason
2017-04-05 15:58 ` Franke, Knut
2017-04-05 13:04 ` [PATCH 5/7] Add support for gnupg < 1.4 Tom G. Christensen
2017-04-05 13:45 ` Ævar Arnfjörð Bjarmason
2017-04-13 6:31 ` Junio C Hamano
2017-04-13 15:17 ` Ævar Arnfjörð Bjarmason
2017-04-05 13:04 ` [PATCH 6/7] Handle missing CURLINFO_SSL_DATA_{IN,OUT} Tom G. Christensen
2017-04-05 13:52 ` Ævar Arnfjörð Bjarmason
2017-04-05 13:04 ` [PATCH 7/7] Do not use curl_easy_strerror with curl < 7.12.0 Tom G. Christensen
2017-04-05 13:53 ` Ævar Arnfjörð Bjarmason
2017-04-06 9:18 ` Jeff King
2017-04-13 6:28 ` Junio C Hamano
2017-04-13 10:52 ` Jacob Keller
2017-04-05 13:04 ` [RFC] dropping support for ancient versions of curl Tom G. Christensen
2017-04-06 0:53 ` brian m. carlson
2017-04-06 1:16 ` Todd Zullinger
2017-04-06 9:29 ` Jeff King
2017-04-07 11:18 ` Johannes Schindelin
2017-04-10 18:22 ` Jeff King [this message]
2017-04-06 9:21 ` Jeff King
2017-04-06 16:43 ` Tom G. Christensen
2017-04-07 4:54 ` Jeff King
2017-04-14 11:12 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170410182215.figy7hm4sogwipyz@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=Johannes.Schindelin@gmx.de \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=sandals@crustytoothpaste.net \
--cc=tgc@jupiterrise.com \
--cc=tmz@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).