libcurl may be unsound due to calls to `getenv`

[xerxes12354]

I was looking at the time crate wondering why the time crate didn't give offsets, and I stumbled upon this thread on Internals. This seems like a big problem so I went looking for FFI crates where this could be a problem.

Looking at libcurl source code, and the list of environment variables libcurl uses https://curl.se/libcurl/c/libcurl-env.html, it looks like this wrapper has a data race when set_env is called in another thread.

[sagebind]

I'm not sure what we are expected to do about this. Lots of C libraries use getenv, including libcurl. Seems like this is a much larger problem than any one crate, and I don't think it is reasonable to expect most individual crates to address the problem.

Just to be extra clear, this isn't a problem with this wrapper per se, since we don't call getenv at all. But libcurl itself does, which we have no control over.

[sagebind]

Closing as there's not much that can be done about this, and arguably it is set_env that is the problem, not getenv.