From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS53758 23.128.96.0/24 X-Spam-Status: No, score=-4.0 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by dcvr.yhbt.net (Postfix) with ESMTP id ECD141F8C6 for ; Thu, 9 Sep 2021 23:12:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347859AbhIIXNj (ORCPT ); Thu, 9 Sep 2021 19:13:39 -0400 Received: from pb-smtp2.pobox.com ([64.147.108.71]:54613 "EHLO pb-smtp2.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234743AbhIIXNi (ORCPT ); Thu, 9 Sep 2021 19:13:38 -0400 Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 4E278F0EB6; Thu, 9 Sep 2021 19:12:27 -0400 (EDT) (envelope-from junio@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; s=sasl; bh=eegOlAqz/bjg AuU6Y74m7KWo8Q+I0lj8m9A90MudB1U=; b=JdxWUZSt9S426N5k4nHJf9P5MEBj BrliwoxhShtMTDos2tPuG+fHDvmvcPP95K8YwWk6fPQmg0E43qVKZkdokFAWNded //6rHWBt0YV5VOp6mWqsMlisRoTha3ePEgMv+8u6/uwhcwMeGSuctOBq5tlCG704 fWS1tLwC7Oi0xPs= Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 46B4FF0EB5; Thu, 9 Sep 2021 19:12:27 -0400 (EDT) (envelope-from junio@pobox.com) Received: from pobox.com (unknown [104.196.172.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id C4528F0EB4; Thu, 9 Sep 2021 19:12:26 -0400 (EDT) (envelope-from junio@pobox.com) From: Junio C Hamano To: Jeff King Cc: =?utf-8?B?w4Z2YXIgQXJuZmrDtnLDsA==?= Bjarmason , git@vger.kernel.org, "brian m . carlson" , Bagas Sanjaya Subject: Re: [PATCH 2/5] http: correct curl version check for CURLOPT_PINNEDPUBLICKEY References: Date: Thu, 09 Sep 2021 16:12:26 -0700 In-Reply-To: (Jeff King's message of "Wed, 8 Sep 2021 15:22:28 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Pobox-Relay-ID: 65F0B75C-11C3-11EC-9F4C-CD991BBA3BAF-77302942!pb-smtp2.pobox.com Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Jeff King writes: > On Wed, Sep 08, 2021 at 05:31:53PM +0200, =C3=86var Arnfj=C3=B6r=C3=B0 = Bjarmason wrote: > >> In aeff8a61216 (http: implement public key pinning, 2016-02-15) a >> dependency and warning() was added if curl older than 7.44.0 was used, >> but the relevant code depended on CURLOPT_PINNEDPUBLICKEY, introduced >> in 7.39.0. > > According to the manpage for CURLOPT_PINNEDPUBLICKEY, it looks like > support for various formats and implementations was phased in. In > particular, 7.44.0 picked up sha256 support (I guess for a fingerprint? > I've never used this feature) for most major implementations. > > But in terms of compiling, all we care about is that the constant is > there. So I think the cutoff point you found is what we want. Presumabl= y > when the file format isn't supported we'd get some error, though it's > not clear if that would come during the actual curl_*_perform(), or if > we should be checking the curl_easy_setopt() result. If we were evaluating a patch to add support for pinnedpublickey afresh back in, say, 2017, perhaps we cared enough about the distinction between 7.39 and 7.44 (Nov 2014 and Aug 2015, respectively), but I'd say cut-off at 7.44 for this, once it is written and committed in our codebase, is good enough for us. If the code originally had cut-off at 7.39 and we were raising the floor to 7.44 with "sha256 weren't usable before that version" as the justification, it would be a totally different situation and it may be worth the code change, but I am not sure if going backwards is worth it. So, I dunno. Thanks.