[ITP-adopt] curl 7.15.0

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[ITP-adopt] curl 7.15.0

Brian Dessent

According to the last of Corinna's pings that I read, the curl packages
were abandoned with no response from the maintainer.  If that is not the
case then ignore the rest of this.

I would like to adopt these packages and maintain them.  The current
packaged version is somewhat old anyway, and I believe that someone
mentioned it being vulnerable to a security flaw.  Below are packages
for 7.15.0.

The major changes that I have made compared to the old packaging are as
follows:

1. I have split the runtime into its own libcurl3 package.  This will
help for future ABI changes.  I don't think that anything currently
links against libcurl.  The only packages currently in the distro that
require it are clamav and vorbis-tools.  I checked clamav and it
apparently calls curl when running freshclam but it is not directly
linked to libcurl.  I did not check vorbis-tools but I assume it's the
same situation.  On the other hand, one example of a popular program
that does link to libcurl is PHP, and so I suppose I'm just looking
ahead to the day when we finally get PHP in the distro and libcurl
decides to change its ABI.  I'm certainly willing to forget this and
package the .dll with the 'curl' package if there is some reason for
that, but I figured that it would be a good opportunity to do the right
thing.

2. I linked against GNUTLS instead of OpenSSL.  This eliminates a nasty
potential GPL issue, which is detailed at
<http://curl.haxx.se/legal/licmix.html>.  Essentially, the situation is
that OpenSSL+libcurl is fine license-wise, but if someone then tried to
link that libcurl to a pure GPL app they'd be in violation of the GPL
because of its incompatibility with the BSD advertising clause of
OpenSSL.  A lot of GPL programs have the "openssl exception" for this
very reason, but libcurl can't count on that.  It's probably not an
issue right now for Cygwin, but it just seemed easier to me to ignore
the potential problem and use GNUTLS.  GNUTLS doesn't support everything
that openssl does, but the things it lacks (like the ancient SSLv2) seem
to be relatively minor corner-cases.

3. The HTML versions of the manpages are not included.  It seemed
wasteful to have identical docs in two formats, but I'm willing to
include the html if it's an issue.

4. I used the GBS instead of whatever was in use before.

Please review my packaging, since I'm sure I made a trivial mistake
somewhere.

sdesc: "command line tool for transferring files with HTTP, HTTPS, FTP,
etc."
ldesc: "cURL is a command line tool for transferring files with URL
syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT,
FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP PUT,
FTP uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file
transfer resume, proxy tunneling and a busload of other useful tricks."
category: Web Net
requires: cygwin libcurl3

http://dessent.net/cygwin/release/curl/curl-7.15.0-1-src.tar.bz2
http://dessent.net/cygwin/release/curl/curl-7.15.0-1.tar.bz2
http://dessent.net/cygwin/release/curl/setup.hint

sdesc: "runtime library for cURL"
ldesc: "cURL is a command line tool for transferring files with URL
syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT,
FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP PUT,
FTP uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file
transfer resume, proxy tunneling and a busload of other useful tricks."
category: Libs
requires: cygwin libgnutls11 zlib
external-source: curl

http://dessent.net/cygwin/release/curl/libcurl3/libcurl3-7.15.0-1.tar.bz2
http://dessent.net/cygwin/release/curl/libcurl3/setup.hint

sdesc: "development support files for cURL/libcurl (headers, static
libs, samples, and docs)"
ldesc: "cURL is a command line tool for transferring files with URL
syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT,
FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP PUT,
FTP uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file
transfer resume, proxy tunneling and a busload of other useful tricks."
category: Web Net Devel
requires: cygwin libcurl3 curl
external-source: curl

http://dessent.net/cygwin/release/curl/curl-devel/curl-devel-7.15.0-1.tar.bz2
http://dessent.net/cygwin/release/curl/curl-devel/setup.hint

You can also use <http://dessent.net/cygwin/> as a location if you want
to test with setup.exe.

Brian

Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
Brian Dessent wrote:

> I did not check vorbis-tools but I assume it's the
> same situation.

Perhaps I should have, because /usr/bin/ogg123 is in fact linked to
cygcurl-2.dll, which would no longer exist.  Since the DLL version was
bumped I'm going to assume that the ABI was changed too, so I guess it's
a good indication of the need for separate runtime packages.

Anyway, to deal with this I will make a libcurl2 that consists of the
cygcurl-2.dll from the current curl packages.  Or if Corinna is feeling
generous she could just rebuild vorbis-tools, but I won't expect that.

Question: I have read Chuck W's emails on this in the past, but I just
want to confirm that the following is kosher.  Can I simply *rename* the
current *source* package curl-7.11.1-1-src.tar.bz2 to
libcurl2-7.11.1-1-src.tar.bz2, and create a libcurl2-7.11.1-1.tar.bz2
containing just usr/bin/cygcurl-2.dll *without* using an external-source
tag?  Since this is essentially a new package (since it has a new name)
I don't have to bump the -1, right?  Then it would just be a matter of
editing vorbis-tool's setup.hint to call for libcurl2 correct?

Brian
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Charles Wilson-2
Brian Dessent wrote:

> Question: I have read Chuck W's emails on this in the past, but I just
> want to confirm that the following is kosher.  Can I simply *rename* the
> current *source* package curl-7.11.1-1-src.tar.bz2 to
> libcurl2-7.11.1-1-src.tar.bz2, and create a libcurl2-7.11.1-1.tar.bz2
> containing just usr/bin/cygcurl-2.dll *without* using an external-source
> tag?

That's *exactly* what I do.  Go for it.

> Since this is essentially a new package (since it has a new name)
> I don't have to bump the -1, right?

I don't.

> Then it would just be a matter of
> editing vorbis-tool's setup.hint to call for libcurl2 correct?

Yep.

--
Chuck


Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
Charles Wilson wrote:

> That's *exactly* what I do.  Go for it.

Thanks for the sanity check.  Here are the libcurl2 files.

sdesc: "compatibility runtime library for libcurl 7.11.x"
ldesc: "cURL is a command line tool for transferring files with URL
syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT,
FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP PUT,
FTP uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file
transfer resume, proxy tunneling and a busload of other useful tricks."
category: Libs
requires: cygwin openssl

http://dessent.net/cygwin/release/curl/libcurl2/libcurl2-7.11.1-1.tar.bz2
http://dessent.net/cygwin/release/curl/libcurl2/libcurl2-7.11.1-1-src.tar.bz2
http://dessent.net/cygwin/release/curl/libcurl2/setup.hint

Brian
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Corinna Vinschen-2
In reply to this post by Brian Dessent
On Nov 22 19:55, Brian Dessent wrote:

> 2. I linked against GNUTLS instead of OpenSSL.  This eliminates a nasty
> potential GPL issue, which is detailed at
> <http://curl.haxx.se/legal/licmix.html>.  Essentially, the situation is
> that OpenSSL+libcurl is fine license-wise, but if someone then tried to
> link that libcurl to a pure GPL app they'd be in violation of the GPL
> because of its incompatibility with the BSD advertising clause of
> OpenSSL.  A lot of GPL programs have the "openssl exception" for this
> very reason, but libcurl can't count on that.  It's probably not an
> issue right now for Cygwin, but it just seemed easier to me to ignore
> the potential problem and use GNUTLS.  GNUTLS doesn't support everything
> that openssl does, but the things it lacks (like the ancient SSLv2) seem
> to be relatively minor corner-cases.

It's not an issue for Cygwin and in theory I'd prefer if you could link
curl against OpenSSL.  OTOH, GNUTLS would be a fine additional package
for Cygwin, too (*hint, hint*).  Where is the GNUTLS package?  I don't
see it in your list of packages.  Since you linked curl against it, the
package should be provided anyway.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat, Inc.
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Corinna Vinschen-2
In reply to this post by Brian Dessent
On Nov 22 20:49, Brian Dessent wrote:

> Brian Dessent wrote:
>
> > I did not check vorbis-tools but I assume it's the
> > same situation.
>
> Perhaps I should have, because /usr/bin/ogg123 is in fact linked to
> cygcurl-2.dll, which would no longer exist.  Since the DLL version was
> bumped I'm going to assume that the ABI was changed too, so I guess it's
> a good indication of the need for separate runtime packages.
>
> Anyway, to deal with this I will make a libcurl2 that consists of the
> cygcurl-2.dll from the current curl packages.  Or if Corinna is feeling
> generous she could just rebuild vorbis-tools, but I won't expect that.

I'd rather have a libcurl2 package for historical reasons.  But I will
relink vorbis-tools against libcurl3 at one point (maybe you could ping
me if it looks like I forgot?).


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat, Inc.
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
In reply to this post by Corinna Vinschen-2
Corinna Vinschen wrote:

> It's not an issue for Cygwin and in theory I'd prefer if you could link
> curl against OpenSSL.  OTOH, GNUTLS would be a fine additional package
> for Cygwin, too (*hint, hint*).  Where is the GNUTLS package?  I don't
> see it in your list of packages.  Since you linked curl against it, the
> package should be provided anyway.

GNUTLS is already in the distro courtesy of Gerrit:
<http://www.cygwin.com/ml/cygwin-apps/2005-08/msg00303.html>

However the fact is that OpenSSL is a lot more mature and stable,
especially in the context of curl support, so it's very reasonable to
stick with it.  Debian has been trying to switch over to GNUTLS for
libcurl (and other libraries that need SSL/TSL) because of these
licensing reasons, but it looks like as of right now they are still with
OpenSSL, presumably because GNUTLS just isn't mature enough.  So, I'll
switch back to OpenSSL and make a -2 version.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Corinna Vinschen-2
In reply to this post by Brian Dessent
On Nov 23 03:57, Brian Dessent wrote:

> Corinna Vinschen wrote:
>
> > It's not an issue for Cygwin and in theory I'd prefer if you could link
> > curl against OpenSSL.  OTOH, GNUTLS would be a fine additional package
> > for Cygwin, too (*hint, hint*).  Where is the GNUTLS package?  I don't
> > see it in your list of packages.  Since you linked curl against it, the
> > package should be provided anyway.
>
> GNUTLS is already in the distro courtesy of Gerrit:
> <http://www.cygwin.com/ml/cygwin-apps/2005-08/msg00303.html>

*blush* oops.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat, Inc.
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Yaakov (Cygwin/X)
In reply to this post by Brian Dessent
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Dessent wrote:
> I would like to adopt these packages and maintain them.  The current
> packaged version is somewhat old anyway, and I believe that someone
> mentioned it being vulnerable to a security flaw.  Below are packages
> for 7.15.0.

First, thank you for taking on curl.

A few questions:

1) I don't think that we should keep libcurl2 as-is, being that it's
vulnerable.  Either we could drop it entirely (and recompile
vorbis-tools against libcurl3 immediately), or rebuild curl-7.11 with
the following patch:

http://curl.haxx.se/libcurl-ntlmbuf.patch

2) curl-7.15 can use c-ares and libidn, both recently proposed by
Gerrit.  c-ares was approved, but libidn had some packaging issues.
Maybe you could work with him to get those in the distro, then link
curl-7.15.0 with them as well (either now or for -2).


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDhL3OpiWmPGlmQSMRAosrAKDAHQ9ldfW/N2YZXg3Fk/IZzfyyUwCfXhW+
uIrEEuZEr5AvuGArVPEeC+8=
=ZUpH
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
"Yaakov S (Cygwin Ports)" wrote:

> 1) I don't think that we should keep libcurl2 as-is, being that it's
> vulnerable.  Either we could drop it entirely (and recompile
> vorbis-tools against libcurl3 immediately), or rebuild curl-7.11 with
> the following patch:
>
> http://curl.haxx.se/libcurl-ntlmbuf.patch

This is a good idea.  I've created a patched libcurl2:

http://dessent.net/cygwin/release/curl/libcurl2/setup.hint
http://dessent.net/cygwin/release/curl/libcurl2/libcurl2-7.11.1-2-src.tar.bz2
http://dessent.net/cygwin/release/curl/libcurl2/libcurl2-7.11.1-2.tar.bz2

> 2) curl-7.15 can use c-ares and libidn, both recently proposed by
> Gerrit.  c-ares was approved, but libidn had some packaging issues.
> Maybe you could work with him to get those in the distro, then link
> curl-7.15.0 with them as well (either now or for -2).

I'd prefer not to block on this.  However I'd be happy to refresh the
curl packages as soon as these libs have been uploaded.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Yaakov (Cygwin/X)
In reply to this post by Brian Dessent
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Dessent wrote:
> Okay, here's the current set.  The setup.hints are unchanged except for
> the "requires" line so I won't paste them in the message.  (I include
> the libcurl2 package URLs here too just for convenience even though they
> are not changed from the prior email.)
>
> Please test.

I'd say not quite yet.

curl's configure looks for gdi32 and winmm libs for building on MinGW.
If w32api is installed, configure will pick these up, even though we
don't necessary want them on Cygwin.

Also, I haven't been following all the recent discussion on g-b-s
logging, but it looks *very* strange to me to include the logs in the
- -src tarball.

Otherwise 7.11.1-2 and 7.15.0-2 looks good.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDhPhFpiWmPGlmQSMRAj4JAKDDnek53n6RVnXETN+Lv37E6K/+7wCdFOHr
v1tgjWS7Mz7qy+rhO2lstaE=
=xUTo
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
"Yaakov S (Cygwin Ports)" wrote:

> curl's configure looks for gdi32 and winmm libs for building on MinGW.
> If w32api is installed, configure will pick these up, even though we
> don't necessary want them on Cygwin.

I noticed that too (that it was adding -lwinmm to the link line) but as
far as I can tell it does not actually import anything from them:

$ cygcheck curl
Found: C:\cygwin\bin\curl.exe
C:/cygwin/bin/curl.exe
  C:\cygwin\bin\cygcurl-3.dll
    C:\cygwin\bin\cygcrypto-0.9.8.dll
      C:\cygwin\bin\cygwin1.dll
        C:\WINXP\system32\ADVAPI32.DLL
          C:\WINXP\system32\ntdll.dll
          C:\WINXP\system32\KERNEL32.dll
          C:\WINXP\system32\RPCRT4.dll
    C:\cygwin\bin\cygssl-0.9.8.dll
    C:\cygwin\bin\cygz.dll

> Also, I haven't been following all the recent discussion on g-b-s
> logging, but it looks *very* strange to me to include the logs in the
> - -src tarball.

GRRR..  I failed to notice that it was doing that, nor did I intend to
include the logs.  I'll have to delete that stuff from the GBS for the
next revision.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Yaakov (Cygwin/X)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Dessent wrote:
> I noticed that too (that it was adding -lwinmm to the link line) but as
> far as I can tell it does not actually import anything from them:

Looking at the code, everything Windows related is #ifdef WIN32, so it
would appear not to matter to the runtime.

However, due to these being on the link line, the libcurl.la file
contains still includes these:

# Libraries that this one depends upon.
dependency_libs=' -L/usr/lib -lssl -lcrypto -lgdi32 -lwinmm -lz'

Libtool hence will unnecessarily require w32api to be installed in order
to link with these two.  So I'd still say that they need to be avoided.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDhQnapiWmPGlmQSMRAs5WAKCs/FOc+TdhW6ZRCil6k3vuNXgqvACeNSwk
mvM2GczlWGdr8Qqk2x2WPxo=
=voVM
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
"Yaakov S (Cygwin Ports)" wrote:

> # Libraries that this one depends upon.
> dependency_libs=' -L/usr/lib -lssl -lcrypto -lgdi32 -lwinmm -lz'
>
> Libtool hence will unnecessarily require w32api to be installed in order
> to link with these two.  So I'd still say that they need to be avoided.

Well if you don't have w32api installed then you won't be able to
compile anything.  Even for the most trivial of windows programs you'd
need -luser32 and -lkernel32.

That aside, I do agree that it's ugly and unnecessary.  So I patched
configure.ac to not add those when building for Cygwin.  New -3 packages
listed below (sans build logs in -src package.)

BTW, the current curl package has these extraneous -lgdi32 -lwinmm flags
as well, so it appears to have always been this way.

http://dessent.net/cygwin/release/curl/curl-7.15.0-3.tar.bz2
http://dessent.net/cygwin/release/curl/curl-7.15.0-3-src.tar.bz2
http://dessent.net/cygwin/release/curl/curl-devel/curl-devel-7.15.0-3.tar.bz2
http://dessent.net/cygwin/release/curl/libcurl3/libcurl3-7.15.0-3.tar.bz2

Brian
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Yaakov (Cygwin/X)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Dessent wrote:
> That aside, I do agree that it's ugly and unnecessary.  So I patched
> configure.ac to not add those when building for Cygwin.  New -3 packages
> listed below (sans build logs in -src package.)

Except that the *new* -src package built from the old one still includes
them:

$ tar jtf curl-7.15.0-3-src.tar.bz2
curl-7.15.0-3-BUILDLOGS.tar.bz2
curl-7.15.0-3.patch
curl-7.15.0-3.sh
curl-7.15.0.tar.bz2

In any case, this is a minor nit.  At this point, it's more important to
get curl updated for the security flaw, so I'm calling this GTG.

Please, though, try to get c-ares and libidn included when you can.

> BTW, the current curl package has these extraneous -lgdi32 -lwinmm flags
> as well, so it appears to have always been this way.

I don't think I was around to review it then. :-)


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDhiv/piWmPGlmQSMRAl8GAKDLFeHAR5h3c7fvyjXerq/Kz7O89gCghm09
jFYBn65FgCGOGUkZtQQi3Vg=
=MKYS
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Eric Blake-2
In reply to this post by Brian Dessent
> In any case, this is a minor nit.  At this point, it's more important to
> get curl updated for the security flaw, so I'm calling this GTG.
>
> Please, though, try to get c-ares and libidn included when you can.

I have just uploaded curl-7.15.0-3, based on this recommendation.
I deleted all remnants of 7.10.8-1, but was unsure whether to remove
the old curl/curl-7.11.1-1* in favor of the new curl/libcurl2/*7.11.1*
files.  Please advise.

--
Eric Blake


Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
Eric Blake wrote:

> > In any case, this is a minor nit.  At this point, it's more important to
> > get curl updated for the security flaw, so I'm calling this GTG.
> >
> > Please, though, try to get c-ares and libidn included when you can.
>
> I have just uploaded curl-7.15.0-3, based on this recommendation.
> I deleted all remnants of 7.10.8-1, but was unsure whether to remove
> the old curl/curl-7.11.1-1* in favor of the new curl/libcurl2/*7.11.1*
> files.  Please advise.

I'd like to leave the current 7.11.1 package around for a while as prev
until until it's clear that I didn't fubar anything.  The problem of
course is that it includes cygcurl-2.dll.  So if the user chooses this
prev version of the package it will overwrite the security-patched
cygcurl-2.dll in the new libcurl2.  There's really no way around this as
far as I can tell.

I suppose what I can do is just mention this in the announcement, that
if you choose to stick with the 7.11.1 package you are responsible for
ensuring that the patched libcurl2 gets used.  Worst case, the user gets
the vulnerable libcurl2, which is all that is currently available anyway
so I suppose it does no harm.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
In reply to this post by Eric Blake-2
Eric Blake wrote:

> I have just uploaded curl-7.15.0-3, based on this recommendation.
> I deleted all remnants of 7.10.8-1, but was unsure whether to remove
> the old curl/curl-7.11.1-1* in favor of the new curl/libcurl2/*7.11.1*
> files.  Please advise.

Hmm, it looks like you uploaded the -1 version of the libcurl2 package,
but the -2 version contains the security fix:
<http://cygwin.com/ml/cygwin-apps/2005-11/msg00229.html>.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: [ITP-adopt] curl 7.15.0

Brian Dessent
Brian Dessent wrote:

> Hmm, it looks like you uploaded the -1 version of the libcurl2 package,
> but the -2 version contains the security fix:
> <http://cygwin.com/ml/cygwin-apps/2005-11/msg00229.html>.

Also, the vorbis-tools setup.hint needs to be edited to call for
libcurl2 instead of curl.

Brian
12