[arch-dev-public] libpsl support for wget and curl (moving libpsl to [core])

Levente Polyak anthraxx at archlinux.org
Mon Nov 14 11:39:31 UTC 2016


Hi,

I would like to move libpsl[0] to [core] and, if no objections arise,
rebuild wget and curl against it. Doing so will protect against some
problems related to insufficient checking of TLDs (f.e. [1]).

Q: What is libpsl?
A: A C library to handles the Public Suffix List [0]. It was created
   out of wget itself and turned into a library so others (like curl)
   could benefit from it.

Q: What does it protect against?
A: - "supercookies" -> cookie checking, cookie domain verification
   - "super domain certificates" -> overly permissive hostname matching

Q: What does upstream recommend?
A: Both, curl and wget, advocate the use of libpsl in their projects if
   available [2][3].

Q: How big is this package?
A: Not even noticeable, 41K while packed (tar.xz) and 92K unpacked.


cheers,
Levente

[0] https://github.com/rockdaboot/libpsl
[1] https://lists.gnu.org/archive/html/bug-wget/2014-03/msg00093.html
[2] http://git.savannah.gnu.org/cgit/wget.git/commit/?id=854ebbf4ddad
[3] https://github.com/curl/curl/commit/e77b5b7453c1e8ccd7ec

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161114/d2a360c7/attachment.asc>


More information about the arch-dev-public mailing list