git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: git@vger.kernel.org, Junio C Hamano <gitster@pobox.com>,
	Jeff King <peff@peff.net>,
	Nicolas Morey-Chaisemartin <NMoreyChaisemartin@suse.de>,
	"Tom G . Christensen" <tgc@jupiterrise.com>,
	Mischa POSLAWSKY <git@shiar.nl>,
	Johannes Schindelin <Johannes.Schindelin@gmx.de>
Subject: Re: [PATCH v2 0/5] drop support for ancient curl
Date: Fri, 23 Jul 2021 09:17:58 +0200	[thread overview]
Message-ID: <87h7gltrst.fsf@evledraar.gmail.com> (raw)
In-Reply-To: <YPn3jP0n+ghomSkX@camp.crustytoothpaste.net>


On Thu, Jul 22 2021, brian m. carlson wrote:

> [[PGP Signed Part:Undecided]]
> On 2021-07-22 at 07:09:59, Ævar Arnfjörð Bjarmason wrote:
>> I'll clarify this along with other fixes in a re-roll, but I think our
>> policy shouldn't have anything to do with upstream promises of support,
>> but merely the trade-off of how easy it is for us to support old
>> software & how likely it is that people use it in practice along with
>> git.
>
> I don't think I agree.  We should try to support major operating systems
> well provided we can adequately be expected to test on them, and that
> means that they should have publicly available security support.  In
> other words, a developer on the relevant operating system should be able
> to test on that OS without paying ongoing money for the privilege of doing
> so securely.

Doesn't drawing that line in the sand for Linux distributions by
implication leave out support for Windows, OSX and any other proprietary
system? You need to pay for security and other updates for those from
day one.

> Once an operating system is no longer supported security-wise, we should
> no longer support it, either, since we can't be expected to test or
> develop on it securely.  Nobody could responsibly run such an image on
> a CI system or test with it on an Internet-connected computer, so we
> should no longer consider it worthy of our support.

Yes, I do think we disagree. I just think we should focus narrowly on
whether it's a hassle for us to support older libcurl, whether some
version of it is packaged with an old OS that's known to be in wide use
or not is ultimately just a useful heuristic.

>> So as an example we still say we support Perl 5.8, which is ridiculously
>> ancient as far as any notion of upstream security support goes (and as
>> an aside, does have real DoS issues exposed by e.g. the gitweb we ship).
>> 
>> But while we could probably bump that to something more modern nowadays
>> in practice we're not a mostly-Perl project, so I haven't found it to be
>> worth it to bump it when working on the relevant code.
>
> I've actually argued in favor of bumping the version to 5.14 a long time
> ago.  I can send a patch for that.  It has a bunch of nice new features
> we could take advantage of.

Sure, I'm not opposed. Just noting the in-tree nicer features for us
v.s. more aggressive versioning policy for packagers and users (not that
Perl 5.14 is aggressive).

>> I'm only using RHEL 5 as a shorthand for a system that's usually the
>> most ancient thing people want to build new gits with in practice.
>> 
>> It's just not the case that you can't run RHEL 5 or even RHEL 4 "safely"
>> even today. Upstream has just abandoned it, but that doesn't mean users
>> in the wild have. There's also CentOS, not everyone cares about IBM
>> corporate support policies.
>
> Yes, and CentOS has dropped support earlier than Red Hat has.
>
> Just because users want to run new versions of Git on systems that
> should long ago have been abandoned[0] does not mean we should take the
> burden of maintaining that code for them.  Since they have the source
> code, they can build and maintain Git on those old systems and apply
> any necessary patches.  If this becomes burdensome, then perhaps the
> cost of maintaining the system will be an incentive to replace it with a
> secure system.
>
> I am unconvinced that we should make it easier for people to run
> insecure operating systems because they pose a hazard to the Internet
> when connected to it.  Just because it is behind some firewall doesn't
> mean that it cannot be compromised, and once it is, it can then become
> a source of spam and abuse.  This is not an idle thought experiment; it
> does practically happen with great frequency on the Internet today.  An
> unsupported system might be acceptable if it has no network connectivity
> at all, but then it would not need a newer version of Git.

Aren't you assuming that any network connectivity is equal to
connectivity to the open internet?

In any case, I think the notion that we should make git slightly more
painful to use on these systems as a distant proxy variable to forcing
OS upgrades is several levels away from where I think we should be
drawing the line, which is closer to "is it painful in-tree?" and "is
someone sending us patches to make it work?" etc.

  reply	other threads:[~2021-07-23  7:25 UTC|newest]

Thread overview: 173+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-09 12:00 [PATCH 0/4] dropping support for older curl Jeff King
2017-08-09 12:01 ` [PATCH 1/4] http: drop support for curl < 7.11.1 Jeff King
2017-08-09 12:01 ` [PATCH 2/4] http: drop support for curl < 7.16.0 Jeff King
2017-08-09 17:29   ` Stefan Beller
2017-08-09 21:13     ` Jeff King
2017-08-09 17:40   ` Junio C Hamano
2017-08-09 18:03     ` Nicolas Morey-Chaisemartin
2017-08-09 21:17       ` Jeff King
2017-08-09 21:29         ` Nicolas Morey-Chaisemartin
2017-08-09 21:49           ` Jeff King
2017-08-09 21:15     ` Jeff King
2017-08-09 12:02 ` [PATCH 3/4] http: drop support for curl < 7.19.4 Jeff King
2017-08-09 13:14   ` Ævar Arnfjörð Bjarmason
2017-08-09 13:38     ` Jeff King
2017-08-09 13:49       ` [PATCH 5/4] curl: remove ifdef'd code never used with curl >=7.19.4 Ævar Arnfjörð Bjarmason
2017-08-09 17:34   ` [PATCH 3/4] http: drop support for curl < 7.19.4 Stefan Beller
2017-08-09 21:19     ` Jeff King
2017-08-10 12:36   ` Mischa POSLAWSKY
2017-08-10 17:34     ` Jeff King
2017-08-09 12:02 ` [PATCH 4/4] http: #error on too-old curl Jeff King
2017-08-09 17:37   ` Stefan Beller
2017-08-09 21:42 ` [PATCH 0/4] dropping support for older curl Johannes Schindelin
2017-08-09 21:47   ` Jeff King
2017-08-10  9:01     ` Tom G. Christensen
2017-08-10  9:36     ` Johannes Schindelin
2017-08-10 21:33       ` Jeff King
2017-08-10 22:17         ` Junio C Hamano
2017-08-10 23:09           ` Jeff King
2017-08-11  0:17             ` Jeff King
     [not found]       ` <CAHVLzcnnrABmkYNg31Aq99NgBbyuCKEM60pHGygyjXbjmaUEYQ@mail.gmail.com>
2017-08-14 21:50         ` Johannes Schindelin
2017-08-10 20:33     ` Tom G. Christensen
2017-08-10 21:32       ` Jeff King
2017-08-10 22:23         ` Tom G. Christensen
2017-08-10 22:54           ` Jeff King
2017-08-10 23:17             ` Tom G. Christensen
2017-08-10 23:23               ` Jeff King
2017-08-10 23:36                 ` Tom G. Christensen
2017-08-11 16:37                   ` [PATCH 0/2] http: handle curl with vendor backports Tom G. Christensen
2017-08-11 22:15                     ` Junio C Hamano
2017-08-12  6:20                       ` Tom G. Christensen
2017-08-20  8:47                       ` Jeff King
2017-08-20 16:28                         ` Junio C Hamano
2017-08-23 15:41                           ` Jeff King
2017-08-11 16:37                   ` [PATCH 1/2] http: Fix handling of missing CURLPROTO_* Tom G. Christensen
2017-08-12  0:30                     ` Junio C Hamano
2017-08-12  9:04                       ` Tom G. Christensen
2017-08-20  8:59                       ` Jeff King
2017-08-11 16:37                   ` [PATCH 2/2] http: use a feature check to enable GSSAPI delegation control Tom G. Christensen
2017-08-09 23:39   ` [PATCH 0/4] dropping support for older curl Ævar Arnfjörð Bjarmason
     [not found] ` <87zib8g8ub.fsf@gmail.com>
2017-08-10 10:04   ` Dropping support for older perl Tom G. Christensen
2021-07-21 22:22 ` [PATCH v2 0/5] drop support for ancient curl Ævar Arnfjörð Bjarmason
2021-07-21 22:22   ` [PATCH v2 1/5] http: drop support for curl < 7.11.1 Ævar Arnfjörð Bjarmason
2021-07-21 22:56     ` Junio C Hamano
2021-07-21 22:22   ` [PATCH v2 2/5] http: drop support for curl < 7.16.0 Ævar Arnfjörð Bjarmason
2021-07-21 22:22   ` [PATCH v2 3/5] http: drop support for curl < 7.19.4 Ævar Arnfjörð Bjarmason
2021-07-21 23:05     ` Junio C Hamano
2021-07-21 22:22   ` [PATCH v2 4/5] http: drop support for curl < 7.19.3 and < 7.16.4 (again) Ævar Arnfjörð Bjarmason
2021-07-21 23:17     ` Junio C Hamano
2021-07-21 22:22   ` [PATCH v2 5/5] http: rename CURLOPT_FILE to CURLOPT_WRITEDATA Ævar Arnfjörð Bjarmason
2021-07-21 23:19     ` Junio C Hamano
2021-07-21 22:39   ` [PATCH v2 0/5] drop support for ancient curl Junio C Hamano
2021-07-21 22:56   ` brian m. carlson
2021-07-22  7:09     ` Ævar Arnfjörð Bjarmason
2021-07-22 22:56       ` brian m. carlson
2021-07-23  7:17         ` Ævar Arnfjörð Bjarmason [this message]
2021-07-22  6:27   ` Bagas Sanjaya
2021-07-23 10:16   ` Jeff King
2021-07-23 16:21     ` Junio C Hamano
2021-07-23 16:49       ` Randall S. Becker
2021-07-24  1:19       ` Jeff King
2021-07-30  9:31   ` [PATCH v3 0/7] drop support for ancient curl, improve version checks Ævar Arnfjörð Bjarmason
2021-07-30  9:31     ` [PATCH v3 1/7] http: drop support for curl < 7.11.1 Ævar Arnfjörð Bjarmason
2021-07-30  9:31     ` [PATCH v3 2/7] http: drop support for curl < 7.16.0 Ævar Arnfjörð Bjarmason
2021-07-30  9:31     ` [PATCH v3 3/7] http: drop support for curl < 7.19.4 Ævar Arnfjörð Bjarmason
2021-07-30  9:31     ` [PATCH v3 4/7] http: drop support for curl < 7.19.3 and <= 7.16.4 (or <7.17.0) (again) Ævar Arnfjörð Bjarmason
2021-07-30 16:18       ` Junio C Hamano
2021-07-30  9:31     ` [PATCH v3 5/7] http: drop support for curl < 7.18.0 (again) Ævar Arnfjörð Bjarmason
2021-07-30 16:22       ` Junio C Hamano
2021-07-30  9:31     ` [PATCH v3 6/7] http: rename CURLOPT_FILE to CURLOPT_WRITEDATA Ævar Arnfjörð Bjarmason
2021-07-30  9:31     ` [PATCH v3 7/7] http: centralize the accounting of libcurl dependencies Ævar Arnfjörð Bjarmason
2021-07-30 16:47       ` Junio C Hamano
2021-07-30 17:59     ` [PATCH v4 0/5] drop support for ancient curl Ævar Arnfjörð Bjarmason
2021-07-30 17:59       ` [PATCH v4 1/5] http: drop support for curl < 7.11.1 Ævar Arnfjörð Bjarmason
2021-07-30 17:59       ` [PATCH v4 2/5] http: drop support for curl < 7.16.0 Ævar Arnfjörð Bjarmason
2021-09-10 22:28         ` Andrei Rybak
2021-09-11 14:32           ` Jeff King
2021-09-11 21:39             ` Junio C Hamano
2021-09-11 21:58               ` Jeff King
2021-07-30 17:59       ` [PATCH v4 3/5] http: drop support for curl < 7.19.4 Ævar Arnfjörð Bjarmason
2021-07-30 17:59       ` [PATCH v4 4/5] http: drop support for curl < 7.19.3 and < 7.17.0 (again) Ævar Arnfjörð Bjarmason
2021-07-30 17:59       ` [PATCH v4 5/5] http: rename CURLOPT_FILE to CURLOPT_WRITEDATA Ævar Arnfjörð Bjarmason
2021-07-30 19:03       ` [PATCH v4 0/5] drop support for ancient curl Junio C Hamano
2021-07-30 19:50         ` Junio C Hamano
2021-07-30 22:49           ` Junio C Hamano
2021-09-08 15:31       ` [PATCH 0/5] post-v2.33 "drop support for ancient curl" follow-up Ævar Arnfjörð Bjarmason
2021-09-08 15:31         ` [PATCH 1/5] http: drop support for curl < 7.18.0 (again) Ævar Arnfjörð Bjarmason
2021-09-09 22:58           ` Junio C Hamano
2021-09-08 15:31         ` [PATCH 2/5] http: correct curl version check for CURLOPT_PINNEDPUBLICKEY Ævar Arnfjörð Bjarmason
2021-09-08 19:22           ` Jeff King
2021-09-09 23:12             ` Junio C Hamano
2021-09-10 14:19               ` Jeff King
2021-09-10 14:30                 ` Jeff King
2021-09-10 14:37                 ` Ævar Arnfjörð Bjarmason
2021-09-10 15:28                   ` Jeff King
2021-09-10 15:45                     ` Daniel Stenberg
2021-09-10 19:41                       ` Ævar Arnfjörð Bjarmason
2021-09-10 21:57                         ` Daniel Stenberg
2021-09-08 15:31         ` [PATCH 3/5] http: correct version check for CURL_HTTP_VERSION_2_0 Ævar Arnfjörð Bjarmason
2021-09-08 19:27           ` Jeff King
2021-09-08 15:31         ` [PATCH 4/5] http: centralize the accounting of libcurl dependencies Ævar Arnfjörð Bjarmason
2021-09-08 19:31           ` Jeff King
2021-09-09 17:40             ` Junio C Hamano
2021-09-09 19:26               ` Jeff King
2021-09-08 15:31         ` [PATCH 5/5] http: don't hardcode the value of CURL_SOCKOPT_OK Ævar Arnfjörð Bjarmason
2021-09-09 23:15           ` Junio C Hamano
2021-09-09 23:22             ` Junio C Hamano
2021-09-08 19:32         ` [PATCH 0/5] post-v2.33 "drop support for ancient curl" follow-up Jeff King
2021-09-10 11:04         ` [PATCH v2 0/8] " Ævar Arnfjörð Bjarmason
2021-09-10 11:04           ` [PATCH v2 1/8] INSTALL: don't mention the "curl" executable at all Ævar Arnfjörð Bjarmason
2021-09-10 14:53             ` Jeff King
2021-09-10 11:04           ` [PATCH v2 2/8] INSTALL: mention that we need libcurl 7.19.4 or newer to build Ævar Arnfjörð Bjarmason
2021-09-10 14:54             ` Jeff King
2021-09-10 16:56               ` Junio C Hamano
2021-09-10 17:46                 ` Jeff King
2021-09-10 11:04           ` [PATCH v2 3/8] Makefile: drop support for curl < 7.9.8 (again) Ævar Arnfjörð Bjarmason
2021-09-10 15:04             ` Jeff King
2021-09-10 11:04           ` [PATCH v2 4/8] http: drop support for curl < 7.18.0 (again) Ævar Arnfjörð Bjarmason
2021-09-10 11:04           ` [PATCH v2 5/8] http: correct version check for CURL_HTTP_VERSION_2 Ævar Arnfjörð Bjarmason
2021-09-10 15:09             ` Jeff King
2021-09-10 15:20               ` Daniel Stenberg
2021-09-10 15:41                 ` Jeff King
2021-09-10 17:19                 ` Ævar Arnfjörð Bjarmason
2021-09-10 11:04           ` [PATCH v2 6/8] http: correct curl version check for CURLOPT_PINNEDPUBLICKEY Ævar Arnfjörð Bjarmason
2021-09-10 17:00             ` Junio C Hamano
2021-09-10 11:04           ` [PATCH v2 7/8] http: centralize the accounting of libcurl dependencies Ævar Arnfjörð Bjarmason
2021-09-10 15:15             ` Jeff King
2021-09-10 11:04           ` [PATCH v2 8/8] http: don't hardcode the value of CURL_SOCKOPT_OK Ævar Arnfjörð Bjarmason
2021-09-10 15:17             ` Jeff King
2021-09-10 14:37           ` [PATCH v2 0/8] post-v2.33 "drop support for ancient curl" follow-up Jeff King
2021-09-10 15:08             ` Ævar Arnfjörð Bjarmason
2021-09-10 15:20               ` Jeff King
2021-09-10 16:52           ` Junio C Hamano
2021-09-10 17:06             ` Randall S. Becker
2021-09-10 17:42             ` Ævar Arnfjörð Bjarmason
2021-09-10 17:14           ` Junio C Hamano
2021-09-10 17:32             ` Junio C Hamano
2021-09-10 19:05               ` Konstantin Ryabitsev
2021-09-10 19:49                 ` Junio C Hamano
2021-09-10 17:47             ` Ævar Arnfjörð Bjarmason
2021-09-11  9:34           ` [PATCH v3 0/9] " Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 1/9] INSTALL: don't mention the "curl" executable at all Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 2/9] INSTALL: reword and copy-edit the "libcurl" section Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 3/9] INSTALL: mention that we need libcurl 7.19.4 or newer to build Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 4/9] Makefile: drop support for curl < 7.9.8 (again) Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 5/9] http: drop support for curl < 7.18.0 (again) Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 6/9] http: correct version check for CURL_HTTP_VERSION_2 Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 7/9] http: correct curl version check for CURLOPT_PINNEDPUBLICKEY Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 8/9] http: centralize the accounting of libcurl dependencies Ævar Arnfjörð Bjarmason
2021-09-11  9:34             ` [PATCH v3 9/9] http: don't hardcode the value of CURL_SOCKOPT_OK Ævar Arnfjörð Bjarmason
2021-09-11 14:46             ` [PATCH v3 0/9] post-v2.33 "drop support for ancient curl" follow-up Jeff King
2021-09-12 19:01               ` Junio C Hamano
2021-09-13 14:51             ` [PATCH v4 " Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 1/9] INSTALL: don't mention the "curl" executable at all Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 2/9] INSTALL: reword and copy-edit the "libcurl" section Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 3/9] INSTALL: mention that we need libcurl 7.19.4 or newer to build Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 4/9] Makefile: drop support for curl < 7.9.8 (again) Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 5/9] http: drop support for curl < 7.18.0 (again) Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 6/9] http: correct version check for CURL_HTTP_VERSION_2 Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 7/9] http: correct curl version check for CURLOPT_PINNEDPUBLICKEY Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 8/9] http: centralize the accounting of libcurl dependencies Ævar Arnfjörð Bjarmason
2021-09-13 14:51               ` [PATCH v4 9/9] http: don't hardcode the value of CURL_SOCKOPT_OK Ævar Arnfjörð Bjarmason
2021-09-13 17:02               ` [PATCH v4 0/9] post-v2.33 "drop support for ancient curl" follow-up Jeff King
2021-09-13 17:41                 ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87h7gltrst.fsf@evledraar.gmail.com \
    --to=avarab@gmail.com \
    --cc=Johannes.Schindelin@gmx.de \
    --cc=NMoreyChaisemartin@suse.de \
    --cc=git@shiar.nl \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=peff@peff.net \
    --cc=sandals@crustytoothpaste.net \
    --cc=tgc@jupiterrise.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).