Should "std.net.curl" be moved from Phobos to Deimos?

Marco Leise Marco.Leise at gmx.de
Tue Nov 26 17:28:06 PST 2013 

Am Tue, 26 Nov 2013 10:44:07 -0800
schrieb Andrei Alexandrescu <SeeWebsiteForEmail at erdani.org>:

> On 11/25/13 4:36 PM, Adam D. Ruppe wrote:
> > On Tuesday, 26 November 2013 at 00:13:57 UTC, Andrei Alexandrescu wrote:
> >> First I'd like to gather an understanding on why we seem to have this
> >> problem (far as I understand, the likes of php and python are doing
> >> fine with curl, but maybe I'm wrong).
> >
> > A major difference is there's only one php/python binary, usually build
> > on the same system that uses it. Phobos, on the other hand, is generally
> > built on the packager's computer, which isn't always binary compatible
> > with the deployment box.
> >
> > On Windows, the problem is simply that curl isn't packaged with dmd, for
> > some weird reason, meaning people have to get curl.lib separately.
> > That's idiotic. But then again, so are a lot of the dmd Windows
> > deficiencies.
> 
> Please let me know whether my understanding of the situation is correct:
> 
> 1. If people have a working installation of libcurl on their machine, we 
> work with it.
> 
> 2. Otherwise, phobos works fine but attempting to use std.net.curl will 
> fail.
> 
> Is this correct? If not, please explain exactly why. If yes, this setup 
> seems entirely appropriate to me.
> 
> >> If we do decide to do away with libcurl, one possible solution would
> >> be to embed its source code within our build. That way we wouldn't
> >> break code that already uses it.
> >
> > Yes, that would be ideal, we should just statically link curl right into
> > the phobos build so it just works everywhere.
> 
> There are several questions associated with this.
> 
> 1. Does the author of libcurl agree with such? My understanding is he would.
> 
> 2. Would we need to actually build libcurl from source, or just 
> distribute it? In the former case, it would be quite odd that we'd need 
> to do that (and presumably we'd need to take some maintenance burden, too).
> 
> 3. What if people already have some working libcurl version and would 
> want to use that?
> 
> 
> Andrei

Point 3 is a bigger issue than it may seem at first. A reason
to use shared libraries is that the modularity makes it
trivial to get security updates, whereas a monolithic Phobos
is not necessarily updated when a security fix for cURL becomes
available.

This page shows that sometimes security holes are found on a
daily basis: http://curl.haxx.se/docs/security.html

-- 
Marco

More information about the Digitalmars-d mailing list