Bazaar 1.9 rc1-2 Windows installers

John Arbash Meinel john at arbash-meinel.com
Fri Nov 7 21:32:04 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> If you chose to include pycurl, then please install and use a
> curl[2] version >= 7.19 as previous ones has led to bug #225020
> (which reveals more problems than the bug itself).
> 
>          Vincent

...

> [2]: I know, I know, yet one more package on top of all the
> others but can we really drop certificate verification ?
> 

Well, it is fairly not trivial to get pycurl set up on Windows. I just
tried "easy_install" and it fails because you have to have installed
curl itself, and set your environment, etc.

And for the pre-built libraries that they have here:
http://pycurl.sourceforge.net/download/

It only goes up to 7.18.2, though they have a tarball for 7.19.

As for skipping cert verification...

At *this* point in Bazaar's lifecycle, I think the chance that someone
will play Man-in-the-middle and hijack a bzr branch is on the order of
0%. On the other hand, the chance that someone will set up a self-signed
certificate, which will then fail during certificate verification is
around 100% (we already have had 2-3 bugs opened about this issue).

So while in the long run, I think it is important to properly verify
certificates, ATM it causes more problems than it fixes.

Don't forget, for people who really need secure access, they are likely
using bzr+ssh anyway.

So between your request that we use >= 7.19 because the other versions
are buggy, more people run into cert verification causing problems than
helping, the still-standing issues with pycurl (it doesn't handle
interrupts so you are stuck waiting for the current download to finish
before you can cancel, etc), I'm planning on deferring for now.

If you want to get pycurl 7.19 built on that machine, then I would
reconsider. But there aren't enough pros to outweigh the cons at this point.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkUs9QACgkQJdeBCYSNAAPdGgCeJyZXUeDKLCPPhYC80lHrIHeR
VckAnRp1hhXJy1T5q2L4hICfrAltmLGS
=dhaM
-----END PGP SIGNATURE-----

More information about the bazaar mailing list