cmake: mention 'insecure' in the debug build warning #16327
Conversation
|
What's your rationale for this? It is quite enough to say do not use in production. A debug build is not itself insecure. |
|
It depends on the debug build. If it means to contain debug symbols, asserts and -O0, it may still be secure, but this warning is for |
DEBUGBUILD is what I'm talking about and I think the point is that it is not inherently insecure so we shouldn't represent it that way. There are environment variables like CURL_ENTROPY that can lessen the security and some sanity checks are skipped like enforcing https for DoH. But that is not insecure. I went through the code and the only possible insecure code I see is in curl_msh3 #16342 |
|
I don't agree here. Overriding the random generator and disabling / overriding internals via envs doesn't seem secure to me. The feature is meant for internal testing (according to docs) where this is perfectly fine, but secure it isn't. The env list documented seems incomplete. It's not necessary just envs, but other behavior changes not documented, nor vetted from a security angle. Does the CVE program cover For step-by-step debugging, getting stack dumps with symbols, edit: Skipping HTTPS and DoH enforcement don't sound secure to me, though probably each should be double-checked case-by-case to know for sure. |
|
I think we understand each other fine we just disagree |
- Remove the workaround that disabled peer verification in DEBUGBUILDs when CA certs were provided. The workaround was part of a TODO that disabled verification in DEBUGBUILDs with a CAfile/path because apparently there's no way to set those options in msh3 and that caused some tests to fail. Instead the tests should fail and this problem should not be covered up. Ref: #16327 (comment) Closes #16342
No description provided.