On Monday 30 November 2015 08:15:55 Daniel Stenberg wrote: > On Thu, 26 Nov 2015, Tim Ruehsen wrote: > > I just don't like this behavior being the default. I have nothing against > > some kind of configuration / option. > > But this gives a user greater flexibility to more fine-grained trust.
Adding/removing CA stores (directories and/or single files) via command line (and/or config file and/or aliases) gives you lot's more flexibility. Wget has subsets of these capabilities since years. > What sort of problem do you see with this? I already gave a scenario where the requested change is dangerous. If you think it is not appropriate, please give some arguments. > We don't normally fear adding options in libcurl, but this is a very > specialized option that very few users would know how to handle. ??? IMO, Reiner and Petr know what they want - and they seems to be the only ones who needs this feature so far. Why do you think they can't handle a CLI option ? > Also, based on what's said it might also tweak behavior other TLS backends > already do on their own, not to mention that other backends may not be that > easy to alter this behavior for. Just because other people dig a security hole, you don't have to follow them. But anyways, there are pros and cons whatever you decide. You can read and understand the arguments and have to decide. I accept your decision - I am not a security evangelist. Just wanted mention my concerns. Tim ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
