Notices by daniel:// stenberg:// (bagder@mastodon.social), page 8

"The *only* reason curl is popular, is because it is *free* and it might have been first. Using curl is a temporary cost cutting measure. curl is a tool for the poor. "

Aart de Vries apparently knows.

https://daniel.haxx.se/blog/2024/03/08/the-apple-curl-security-incident-12604/comment-page-1/#comment-26945

like this

I'll go with a darker green and put checkmarks there instead "yes". makes it a cleaner feel

Coming soon on the #curl website. All TLS related options and which TLS backends that work with them...

if the person can update to a fixed version... then we already have a fixed version. If they can't update, then.... why file an issue in the first place?

When a person files an issue against an eleven year old #curl version, what exactly do they want us to do?

#curl turns 26 today

https://daniel.haxx.se/blog/2024/03/20/curl-turns-26-today/

@kaia Thanks. It is still bound to be biased since I maintain it and curl is my baby, but I try ...

Compare #curl with other download tools

https://curl.se/docs/comparison-table.html

@ecn I am aware. I think my bigger concern is that we have a lot of users using this and I'm not sure all of them have any easy/proper alternatives...

Maybe #curl should plan to drop support for the non-TLS 1.3 libraries?

https://curl.se/mail/lib-2024-03/0006.html

@loke are you saying that you only have one of those TLS libraries to select from on Riscos?

@loke I am also proposing a suitable date far enough in the future to allow adaption time

@joshbressers @liw @kurtseifried @gregkh in the case of curl and libcurl, we took on the stance to never break our users very early on. I am convinced it is a reason behind our success. They know they can upgrade without worries.

Can success be measured by the frequency how often random strangers propose you rewrite your project?

For the #curl distro discussion 2024 (https://github.com/curl/curl/wiki/curl-distro-discussion-2024) we have confirmed intended attendance by people packaging curl for Debian, Mageia, RHEL/Fedora, Windows 10/11, MacPorts, Homebrew, Yocto Project and AlmaLinux

I'm thrilled!

"The issue was detected by our new AI-powered vulnerability scanner" ...

AAAAAAA

https://github.com/curl/curl/issues/12983

The best part about being an open source maintainer is the copious amounts of free advice you get from people who know better than you what your project should do. /s

try "curl pkmn.li"

(via @glow )

I'm convinced someone just grepped commit messages for this and submitted a #CVE and there was nothing and no one that even tried to confirm or check that this was actually legitimate. There was no filter in place and it was incorrectly let through. That's why it should be rejected. Saying it is "disputed" hints that there can be different views on this subject.

So, you are asking me to explain how this not identified vulnerability is actually not identifying a vulnerability.