Dropping 1002597 from the discussion to focus on 897950. On Sun, 26 Dec 2021 at 10:59, Daniel Stenberg <dan...@haxx.se> wrote: > What the reason for the switch to begin with? The only reason state in 897950 > seems to be "that's a better maintained library and other distributions > already switched to it".
Fedora's wiki states a few security improvements[0], though I didn't double check whether those apply to curl's usage of ssh. > 1. How is it "a better maintained library" ? I assume this is judging by the amount of recent commits on both projects, so it's not a perfect metric and it's gonna be hard to argue for it in case of disagreement. My assumption might be wrong though and the people who said it could have different metrics for it. > 2. Why does it matter what other distros have done? Surely other distros do > all sorts of crazy decisions all the time. Why is this particular one you > think is fine to follow? Let me try to describe where I stand. By following other distros we benefit from a bigger userbase and thus increased chances of receiving patches from those distros through upstream. In the case of syncing with Ubuntu this is even better as they're constantly sending patches back to us. It's a bit of a symbiotic relationship cause they also don't wanna carry over deltas from Debian. It's also sometimes good to try to standardise the packages on a certain library and focus on that, instead of maintaining multiple ones. This is one of the reasons Ubuntu switched to libssh, though I can't say yet if Debian will benefit from this as well (we usually support multiple libraries). This being said, these things don't weigh over "crazy decisions", so we can always divert if we think it's the right thing. Daniel, I won't rush this change and I value your input on this, as both curl and libssh2's upstream, so feel free to take your time to reply. On my initial assessment I couldn't find considerable differences that would weigh in favour of staying with libssh2, I did stumble upon your blogposts talking about performance (libssh2 being better) but they are a bit old and I'm not sure if it's still applicable. >From your message, I believe you are leaning towards sticking with libssh2, and I would be happy to hear your thoughts on it. [0] https://fedoraproject.org/wiki/Changes/libssh-in-libcurl Thank you, -- Samuel Henrique <samueloph>
