Open yerke opened 1 year ago
Thank you @yerke. Since this is correctly telling us about a security gap, I don't think we have a concrete problem per se. Though perhaps we should document that older curls will error when given --tlsv1.2 for the initial script download - and what that means.
Problem
@rbtcollins suggested I file this issue in https://github.com/rust-lang/www.rust-lang.org/pull/1823.
On stock Ubuntu 14.04 LTS (which has extended security maintenance until 2024-04-25) that comes with curl 7.35.0 I see:
Those warnings happen whether you add or not
--proto '=https' --tlsv1.2
as currently recommended in https://github.com/rust-lang/www.rust-lang.org/blob/961dcbda8dff80eb19dd046d3e748d054e6b39d1/templates/components/tools/rustup.html.hbs#L20 and https://github.com/rust-lang/rustup/blob/843459f893091f89b2dd5c7a977da1b3eb28df1b/www/index.html#L31I want to point out that
rust-init.sh
is correct in printing out those warnings. curl 7.35.0 that comes with stock Ubuntu 14.04 shows that it only support--tlsv1
when I look at the options usingcurl --help all
asrust-init.sh
does.According to https://launchpad.net/ubuntu/trusty/+source/curl, 7.35.0 is indeed the latest version available for Ubuntu 14.04. Running
sudo apt-get upgrade curl
didn't change the result.Disclaimer: I do not use Ubuntu 14.04 for anything, nor do I expect anyone reasonable to use that ancient version. I just looked up the oldest version of Ubuntu somebody might be using while researching for the PR I linked above and I was specifically looking to trigger that warning / take the corresponding code path.
Steps
curl https://sh.rustup.rs -sSf | sh
Possible Solution(s)
Do nothing. I think those warnings are expected in this case.
Notes
No response
Rustup version
Installed toolchains