Curl question

ozsouth · Post by **ozsouth** » Sat May 13, 2023 4:14 am

I've been playing with jrb's Jammypup & F96-CE. I noticed (particularly) Curl is quite outdated.
I am unsure of the best procedure for replacement, as current versions are compiled with gnutls.
I have usually compiled Curl with openssl only. No errors emanate & gnutls has way too many
dependencies for me to update it.
Am I opening up a security hole if I remove libgnutls-curl & Curl, & then replace them with
updated Curl compiled with just openssl?

pp4mnklinux · Post by **pp4mnklinux** » Sat May 13, 2023 6:30 am

It's impossible for me answer a YES / NO question when talking about puppy.

In my oppinion, removing libgnutls-curl and replacing curl with an updated version compiled with OpenSSL should not be necessarily a security hole, but it may have implications for other software on your system that depends on these libraries. It's important to carefully consider the dependencies and potential impact of any changes before making them, but I think there is no problem in trying.

Make a security copy of your system, and start trying... You should consider that the version of Curl you are using is up-to-date and has no known vulnerabilities. Good starts usually gives good results.....

Enjoy this weekend.- CHEERS

Jasper · Post by **Jasper** » Sat May 13, 2023 6:58 am

@ozsouth

If you do decide to implement this change ........... which branch of OpenSSL would you be utilising?

Support for 1.1.1 ends on September 11.

Also, remember it also needs to be updated in the DevX as well.

ozsouth · Post by **ozsouth** » Sat May 13, 2023 8:03 am

@pp4mnklinux - Having done this before, nothing SEEMS to be yelping about missing libs, but my worry
is that if something depends on libgnutls-curl for security, I might unknowingly have an issue.
Conversely, if I leave it there, the new curl version is a mismatch - also a potential issue.

@Jasper - in Jammypup, I'm using openssl 3.0.2. Thanks for the devx reminder - I'd forgotten.

Since the current Jammypup Curl (7.81) is dated 5 Jan 2022, maybe better overall to leave it alone.

dimkr · Post by **dimkr** » Sat May 13, 2023 9:00 am

Ubuntu 22.04 sticks to a certain curl version and Canonical backports fixes for security issues from later versions, when vulnerabilities affect this older version too. LTS means sticking to an old version and backporting bug and security fixes for 5 years, not constantly updating to the latest curl for 5 years.

You're not necessarily using a more secure curl if you're updating, especially if you're not constantly chasing the latest version and applying all security patches queued for the next curl release.

Jasper · Post by **Jasper** » Sun May 14, 2023 10:33 am

I am using an updated build of Curl in FP95.

To fix the errors I receive in the corresponding DevX, would I need to unpack the SFS and then add my updated build and then repack?

ozsouth · Post by **ozsouth** » Thu May 18, 2023 1:05 pm

... DevX, would I need to unpack the SFS and then add my updated build and then repack?

@Jasper - I think so.

Jasper · Post by **Jasper** » Thu May 18, 2023 1:10 pm

@ozsouth

I took a gamble and tried it and it worked(99%...lol)

Puppy Linux is so flexible as an OS, I am always surprised and I am genuinely grateful to all that work behind the scene

BTW ..... the kernel 6.2xx is deprecated...... I know your on a sabbatical

Puppy Linux Discussion Forum

Curl question

Curl question

Re: Curl question

Re: Curl question

Re: Curl question

Re: Curl question

Re: Curl question

Re: Curl question

Re: Curl question