@bagder Essentially, #curl commit 0ae0abbe72514a75c10bfc4108d9f254f594c086 broke updating #HardenedBSD packages for certain users who use HardenedBSD behind a fully Tor-ified network (a network that uses transparent Tor proxying).

Those users were unable to update their HardenedBSD systems since the package manager uses libcurl behind-the-scenes. Some of these users live in malicious environments (malicious to human life), with actively-exploited applications.

So, this prohibition had a real negative impact, putting our users in harm's way.

If curl had a way to bypass the prohibition, we would've been able to keep our users safe.

This is why I mention #Radicle: they, too, do not support the .onion TLD by default, but can be configured to provide that support.

Radicle has three options:

1. Default: No support, .onion domain lookups will fail.
2. SOCKS support where .onion lookups succeed.
3. Explicit transparent proxying support, so .onion lookups succeed

curl is missing that third option.

@bagder because you seem to me to be somewhat confused. Like statements like "if they're transparent, what's there to support?"

But, whatever, I already maintain a patch for #HardenedBSD users to remove the prohibition. The problem is solved on HardenedBSD.

right, but you also re-introduce the problem to those who mistakenly use .onion without the proxy setup. Like the RFC tries to address... So right, you opt the other option of the two.

I don't have the solution.