Re: Fwd: [curl] Re: configure: --with-libidn or --with-libidn2?

2016-12-26 Thread Leo Famulari 
On Mon, Dec 26, 2016 at 05:10:50PM +, ng0 wrote:
> Leo Famulari  writes:
> 
> > On Mon, Dec 26, 2016 at 01:59:22PM +, ng0 wrote:
> >> It seems as if curl can be build with libidn2 now and they have
> >> addressed the bug which existed for a while. I will check with
> >> upstream and send in a fix for our curl package once I am sure
> >> that the old bug has been fixed.
> >
> > Which bug?
> >
> > In November 2016, the curl maintainers asked packagers to not link curl
> > with libidn or libidn2 at all, due to security issues:
> >
> > https://curl.haxx.se/mail/lib-2016-11/0033.html
> >
> 
> Which has since then be fixed and in a recent (not in 7.52.1
> included) commit the --with-libidn2 option has been added.
> 
> My understanding of libidn2 is that there were problems with some
> usecases. For example a domain name like bäcker.de would give
> problems to applications such as curl. Of course this was months
> ago, and I would not trust my memory on this.

I don't think this issue is fixed in a released version of libidn2.

I see some unreleased changes in an unofficial 3rd-party libidn2
repository that appear to address the problem:

https://gitlab.com/rockdaboot/libidn2/commit/1712c7188c367bb822aeb0a0f89735ebf4aa7d5a

Specifically, "** Add TR46 / UTS#46 support to API and idn2 utility."

I understand that to be the main blocker based on this curl discussion:

https://curl.haxx.se/mail/lib-2016-11/0198.html

Am I missing something?

Re: Fwd: [curl] Re: configure: --with-libidn or --with-libidn2?

2016-12-26 Thread ng0 
Leo Famulari  writes:

> On Mon, Dec 26, 2016 at 01:59:22PM +, ng0 wrote:
>> It seems as if curl can be build with libidn2 now and they have
>> addressed the bug which existed for a while. I will check with
>> upstream and send in a fix for our curl package once I am sure
>> that the old bug has been fixed.
>
> Which bug?
>
> In November 2016, the curl maintainers asked packagers to not link curl
> with libidn or libidn2 at all, due to security issues:
>
> https://curl.haxx.se/mail/lib-2016-11/0033.html
>

Which has since then be fixed and in a recent (not in 7.52.1
included) commit the --with-libidn2 option has been added.

My understanding of libidn2 is that there were problems with some
usecases. For example a domain name like bäcker.de would give
problems to applications such as curl. Of course this was months
ago, and I would not trust my memory on this.

-- 
♥Ⓐ  ng0
PGP keys and more: https://n0is.noblogs.org/ http://ng0.chaosnet.org

Re: Fwd: [curl] Re: configure: --with-libidn or --with-libidn2?

2016-12-26 Thread Leo Famulari 
On Mon, Dec 26, 2016 at 01:59:22PM +, ng0 wrote:
> It seems as if curl can be build with libidn2 now and they have
> addressed the bug which existed for a while. I will check with
> upstream and send in a fix for our curl package once I am sure
> that the old bug has been fixed.

Which bug?

In November 2016, the curl maintainers asked packagers to not link curl
with libidn or libidn2 at all, due to security issues:

https://curl.haxx.se/mail/lib-2016-11/0033.html

Re: Fwd: [curl] Re: configure: --with-libidn or --with-libidn2?

2016-12-26 Thread ng0 
ng0  writes:

> It seems as if curl can be build with libidn2 now and they have
> addressed the bug which existed for a while. I will check with
> upstream and send in a fix for our curl package once I am sure
> that the old bug has been fixed.

Misinterpretation on my side, and I forgot that I'm read-only on
that list. Is anyone up to date on libidn2 vs libidn, is version
2 now beyond the stage where it does not break anymore on
unicode?

> -- 
> ♥Ⓐ  ng0
> PGP keys and more: https://n0is.noblogs.org/ http://ng0.chaosnet.org
>
>
> Date: Thu, 01 Jan 1970 00:00:00 +
>
> On Sat, 24 Dec 2016, Christian Weisgerber wrote:
> MIME-Version: 1.0
> Content-Type: text/plain
>
>> In 7.51.0 and later, the actual configure script option for libidn2
>> is still "--with-libidn", but the help text refers to "--with-libidn2".
>
>> This can be fixed either way, but the inconsistency is confusing.
>
> Oops, yes that seems silly. I think we should switch to --with-libidn2 
> completely. I'll fix!
>
> -- 
>
>   / daniel.haxx.se
> ---
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette:  https://curl.haxx.se/mail/etiquette.html

-- 
♥Ⓐ  ng0
PGP keys and more: https://n0is.noblogs.org/ http://ng0.chaosnet.org

Fwd: [curl] Re: configure: --with-libidn or --with-libidn2?

2016-12-26 Thread ng0 
It seems as if curl can be build with libidn2 now and they have
addressed the bug which existed for a while. I will check with
upstream and send in a fix for our curl package once I am sure
that the old bug has been fixed.
-- 
♥Ⓐ  ng0
PGP keys and more: https://n0is.noblogs.org/ http://ng0.chaosnet.org


--- Begin Message ---
On Sat, 24 Dec 2016, Christian Weisgerber wrote:
MIME-Version: 1.0
Content-Type: text/plain

> In 7.51.0 and later, the actual configure script option for libidn2
> is still "--with-libidn", but the help text refers to "--with-libidn2".

> This can be fixed either way, but the inconsistency is confusing.

Oops, yes that seems silly. I think we should switch to --with-libidn2 
completely. I'll fix!

-- 

  / daniel.haxx.se
---
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html--- End Message ---