http: support building on RHEL6

[dscho]

This came in via the awkward venue of a commit comment at git@511cfd3#commitcomment-77360864.

I looked here to find out since when cURL supports CURLOPT_RESOLVE.

cc: "brian m. carlson" sandals@crustytoothpaste.net
cc: Ævar Arnfjörð Bjarmason avarab@gmail.com

[dscho]

/submit

[gitgitgadget]

Submitted as pull.1277.git.1656692646303.gitgitgadget@gmail.com

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1277/dscho/curlopt_resolve-in-rhel6-v1

To fetch this version to local tag pr-1277/dscho/curlopt_resolve-in-rhel6-v1:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1277/dscho/curlopt_resolve-in-rhel6-v1

[gitgitgadget]

On the Git mailing list, "brian m. carlson" wrote (reply to this):

On 2022-07-01 at 16:24:06, Johannes Schindelin via GitGitGadget wrote:
> From: Johannes Schindelin <johannes.schindelin@gmx.de>
> 
> There was a bug report attached to the copy of 511cfd3bffa (http: add
> custom hostname to IP address resolutions, 2022-05-16) in the `git/git`
> repository on GitHub, claiming that that commit broke the build on
> RedHat Enterprise Linux 6. The most likely explanation is that the
> available cURL version does not support the `CURLOPT_RESOLVE` feature.
> 
> Let's work around this by warning the user if they configure
> `http.curloptResolve` if compiled against a too-old cURL version.

I don't think it's a good idea to continue to support RHEL 6.  It lost
regular security support in 2020 and I think it's fine and even
preferable to force people to upgrade their OS once every decade.  10
years is, in my view, well beyond the reasonable life span of an OS.

There's no possible way that any Git developer can be expected to
support RHEL 6 because it has no publicly available security support[0] and
we can't expect developers to run or use insecure OSes at all.  It's
also irresponsible of us to enable people to use such an OS considering
the likelihood of compromise is substantial and the risk compromised
systems pose to the Internet, so I think we should drop this patch.

[0] Yes, there is _extended_ security support until 2024, but that's not
available to people who aren't already RHEL 6 users and it doesn't cover
dependencies such as libcurl or Perl that are required to effectively
use Git.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[gitgitgadget]

User "brian m. carlson" <sandals@crustytoothpaste.net> has been added to the cc: list.

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

"brian m. carlson" <sandals@crustytoothpaste.net> writes:

> On 2022-07-01 at 16:24:06, Johannes Schindelin via GitGitGadget wrote:
>> From: Johannes Schindelin <johannes.schindelin@gmx.de>
>> 
>> There was a bug report attached to the copy of 511cfd3bffa (http: add
>> custom hostname to IP address resolutions, 2022-05-16) in the `git/git`
>> repository on GitHub, claiming that that commit broke the build on
>> RedHat Enterprise Linux 6. The most likely explanation is that the
>> available cURL version does not support the `CURLOPT_RESOLVE` feature.
>> 
>> Let's work around this by warning the user if they configure
>> `http.curloptResolve` if compiled against a too-old cURL version.
>
> I don't think it's a good idea to continue to support RHEL 6.  It lost
> regular security support in 2020 and I think it's fine and even
> preferable to force people to upgrade their OS once every decade.  10
> years is, in my view, well beyond the reasonable life span of an OS.
>
> There's no possible way that any Git developer can be expected to
> support RHEL 6 because it has no publicly available security support[0] and
> we can't expect developers to run or use insecure OSes at all.  It's
> also irresponsible of us to enable people to use such an OS considering
> the likelihood of compromise is substantial and the risk compromised
> systems pose to the Internet, so I think we should drop this patch.

I agree with you that justifying the change to support RHEL6 is a
bad idea, because it is a bad idea to encourage the continued use of
platform that is unsupported by the publisher.

But I do not think the patch text, what the patch does, is that bad.
We advertise in INSTALL that you need 7.19.4 to build without NO_CURL;
IOW, you should be able to build Git with 7.21.3 or later.

> [0] Yes, there is _extended_ security support until 2024, but that's not
> available to people who aren't already RHEL 6 users and it doesn't cover
> dependencies such as libcurl or Perl that are required to effectively
> use Git.

It is a different problem if RHEL6 has cURL 7.19.4 or later.  I do
not know the answer to that question.

Taking all of the above into account, I would say that the patch
text is OK and we should mention that the original complaint came
from a user who tried to build Git with RHEL6, but we should make
this change not because we want to keep Git working on that
platform.  Instead, justify the change because we should follow the
promise we made in INSTALL to support libCURL version 7.19.4 or
later

By the way, I do not see anything to notice an attempt to use
libCURL that is too old.  I wonder if the attached patch is worth
considering.

Thanks.

----- >8 --------- >8 --------- >8 --------- >8 --------- >8 -----
Subject: libcurl: document and enforce the lowest supported version

In INSTALL, we promise that certain version of libCURL is usable to
build git with, but there was nothing that ensures we are not built
with a version that is too old.  We may be lucky and the compiler
may choke on a missing function, global variable, or preprocessor
constant in such a case, but it may be more helpful to the users to
give an explicit error message that says the lowest version we
support.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 INSTALL           |  2 +-
 git-curl-compat.h | 11 ++++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git c/INSTALL w/INSTALL
index 4140a3f5c8..d9c83f30c5 100644
--- c/INSTALL
+++ w/INSTALL
@@ -146,7 +146,7 @@ Issues of note:
 
 	  Git requires version "7.19.4" or later of "libcurl" to build
 	  without NO_CURL. This version requirement may be bumped in
-	  the future.
+	  the future in the <git-curl-compat.h> file.
 
 	- "expat" library; git-http-push uses it for remote lock
 	  management over DAV.  Similar to "curl" above, this is optional
diff --git c/git-curl-compat.h w/git-curl-compat.h
index 56a83b6bbd..6eda37ea5a 100644
--- c/git-curl-compat.h
+++ w/git-curl-compat.h
@@ -8,9 +8,6 @@
  * inform decisions about removing support for older libcurl in the
  * future.
  *
- * The oldest supported version of curl is documented in the "INSTALL"
- * document.
- *
  * The source of truth for what versions have which symbols is
  * https://github.com/curl/curl/blob/master/docs/libcurl/symbols-in-versions;
  * the release dates are taken from curl.git (at
@@ -28,6 +25,14 @@
  * introduced, oldest first, in the official version of cURL library.
  */
 
+/*
+ * The oldest supported version of curl is documented in the "INSTALL"
+ * document.
+ */
+#if LIBCURL_VERSION_NUM < 0x071304
+#error "libCURL older than 7.19.4 is not supported"
+#endif
+
 /**
  * CURL_SOCKOPT_OK was added in 7.21.5, released in April 2011.
  */

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Junio C Hamano <gitster@pobox.com> writes:

> But I do not think the patch text, what the patch does, is that bad.
> We advertise in INSTALL that you need 7.19.4 to build without NO_CURL;

> IOW, you should be able to build Git with 7.21.3 or later.

That conclusion is nonsense.  "with a version before 7.21.3 as long
as it is newer than 7.19.4" is what I should have said.

[gitgitgadget]

On the Git mailing list, Ævar Arnfjörð Bjarmason wrote (reply to this):

On Fri, Jul 01 2022, Junio C Hamano wrote:

> Junio C Hamano <gitster@pobox.com> writes:
>
>> But I do not think the patch text, what the patch does, is that bad.
>> We advertise in INSTALL that you need 7.19.4 to build without NO_CURL;
>
>> IOW, you should be able to build Git with 7.21.3 or later.
>
> That conclusion is nonsense.  "with a version before 7.21.3 as long
> as it is newer than 7.19.4" is what I should have said.

I find this line of argument to be circular legalese without a
distinction.

As 644de29e220 (http: drop support for curl < 7.19.4, 2021-07-30) notes
(which I submitted as part of the git-curl-compat.h series) the reason
we have 7.19.4 as a cut-off is entirely due to RHEL.

So, if you do agree with brian that supporting RHEL6 is a bad idea
supporting RHEL6 v.s. supporting libcurl 7.19.4 is a distinction without
a difference.

There's also a 7.19.3, and a 7.19.5, we didn't pick specifically 7.19.4
by accident.

Yes you *could* run Linux-From-Scratch and just so happen to have that
version, but in reality practice almost everyone who cares about 7.19.4
does so because the cut-off is synonymous with RHEL6 and its
derivatives. The same goes for other "magic versions" shipped by later
major OS versions from various vendors.

Brian & I have disagreed on the larger point in the past, not to re-hash
the entire thing here (which can be found in some libcurl threads in
particular, and other "older OS" threads), but somewhat briefly:

 * I think we should be more aggressive in bumping required dependency
   versions, but not as a stick to force users on older systems to
   upgrade out of some enforcement of the Greater Good.

   But simply because we should weigh our time & effort in supporting
   and testing older versions, v.s. the relatively small effort for
   packager to build a newer git *and* its updated dependencies[1].

 * Having said that I entirely disagree with the premise that we should
   view the consumers of our software on free software platforms as
   helpless users who can't make an informed decision about whether they
   should run on older OS with newer software.

   Whether something is supported by upstream is only one factor in
   evaluating the security of a given installation, and whether security
   even really matters in that case (some older RHEL installs are
   firewalled off, or one some private network etc.).

   It's one thing to demand that we do their work for them (which per
   the above, I think it's fair to ask them to do more work). But
   arguing from the *principle* that we use non-support for older
   systems as a wedge quickly leads to justifying actively breaking
   older OS's, or not taking portability patches where the maintenance
   burden is trivial.

 * I really don't care that much about older libcurl in particular
   (using NO_CURL=Y or compiling it yourself is easy).

   But the reason some of us use or test on older OS's is not because we
   think exposing Solaris 10 (released in 2005, see [2]) or whatever to
   the wider internet would be a good idea, but because those older OS's
   tend to find edge cases is our portability assumptions, which
   sometimes even helps portability on newer or future OSs.

The reason I wrote the above now is because I'd really not like
e.g. future C portability patches or whatever that are easy to carry but
happen to cater to some "EOL" OS to be rejected out of hand because
"there's no possible way that any Git developer can be expected to
support [it]", and to have this thread cited as justification without
there being a dissenting argument to be found.

Even if I agreed with the goals I think the argument is still
fundamentally flawed. Some vendors of older OS's don't publish the same
sort of deprecation and support time tables that Red Hat does, even
though their older (and sometimes newer) OS's are probably more insecure
in practice.

Therefore if our criteria for shunning an OS is that its vendor deems it
insecure, we're not only using our clout to encourage them to upgrade,
but also encouraging the use of OS's whose vendors aren't themselves as
strict about encouraging users to upgrade.

1. https://lore.kernel.org/git/CACBZZX78oKU5HuBEqb9qLy7--wcwhC_mW6x7Q+tB4suxohSCsQ@mail.gmail.com/
2. https://cfarm.tetaneutral.net/machines/list/

[gitgitgadget]

User Ævar Arnfjörð Bjarmason <avarab@gmail.com> has been added to the cc: list.

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Ævar Arnfjörð Bjarmason <avarab@gmail.com> writes:

>>> But I do not think the patch text, what the patch does, is that bad.
>>> We advertise in INSTALL that you need 7.19.4 to build without NO_CURL;
>>
>>> IOW, you should be able to build Git with 7.21.3 or later.
>>
>> That conclusion is nonsense.  "with a version before 7.21.3 as long
>> as it is newer than 7.19.4" is what I should have said.
>
> I find this line of argument to be circular legalese without a
> distinction.
>
> As 644de29e220 (http: drop support for curl < 7.19.4, 2021-07-30) notes
> (which I submitted as part of the git-curl-compat.h series) the reason
> we have 7.19.4 as a cut-off is entirely due to RHEL.

Ah, I didn't dig deep enough.

On that backdrop, it becomes a reasonable alternative change to bump
the minimum required version to 7.21.3 with something like the "I
wonder if the attached patch is worth considering" patch I sent in
the upthread, without adding the conditional based on
GIT_CURL_HAVE_CURLOPT_RESOLVE cpp macro.

We could pick an even later cut-off point, but that requires a
separate discussion.

Thanks.