curl needs -k otherwise it fails with cert warning

[stmuk]

No description provided.

[miyagawa]

Nope, your curl is old and needs to be updated.

[stmuk]

True but your documentation still will fail for 90% of the people reading it.
And the point of documentation is to help people.

[virtualsue]

It has always failed for me. This documentation needs to be updated. From the usual workflow, people are not going to know that they "need" to update their version of curl so that your instructions work. And in fact their version of curl works just fine.

[miyagawa]

@stmuk where does the number "90%" come from? Do you have statistics of the versions of curl people are using? I suggest you not to try to convince me by making up numbers.

@virtualsue their curl doesn't work "just fine" - given the number of SSL vulnerabilities for the recent years, using -k is the most insecure thing. http://curl.haxx.se/docs/sslcerts.html

For me, this option has been working for the past 5 years (when cpanm was first released in 2010) with curl that comes with the stock OS X.

I know there are systems that are shipped with either old curl or outdated CA certificates, but enabling -k for these systems is a step backwards. I'd accept the patch that says along the lines of "if you receive a warning from curl, you're strongly suggested to update the version of curl to support the newer certificates." etc.

[miyagawa]

addressed with 2b1fa01