I think the security requirements have to do with disallowing a bunch of things like plain HTTP, HTTPS without certificate checks, HTTPS with old cypher suites, and certificate checks against old certificate roots. Xbox games need to support infrequent updates and so need a mechanism for the host to inject a new trusted root cert bundle. All of this is probably possible with Curl, but Curl is very flexible and can be used in a lot of different ways. Most of those are unhelpful on a tightly controlled environment.
Export restrictions compliance may come into it too: when your are publishing software from an app store based on the US, if your software contains cryptography you have to fill out some forms and it’s easier to get through them if your software doesn’t contain any custom encryption code, so all the cryptography is “standard” and handled by a library that comes with the OS.
I see two main problems: Daniel’s name is all over the file copyright headers, and Microsoft directly links to his documentation, so I felt a dread about incoming support requests. This is compounded by the source not being publicly available (though not legally required), so he is helpless to provide support for this unknown configuration of an unknown version of the library.
I don’t think the problem is the fork of the code, it’s the use of the name that implies the connection to the upstream / plus links to the official docs is going to almost certainly result in a non-zero number of people hassling Daniel about bugs in xCurl.
Would’ve been better if they just used the code with a name that’s completely distinct with a nod to the upstream in their materials.
I think the security requirements have to do with disallowing a bunch of things like plain HTTP, HTTPS without certificate checks, HTTPS with old cypher suites, and certificate checks against old certificate roots. Xbox games need to support infrequent updates and so need a mechanism for the host to inject a new trusted root cert bundle. All of this is probably possible with Curl, but Curl is very flexible and can be used in a lot of different ways. Most of those are unhelpful on a tightly controlled environment.
Export restrictions compliance may come into it too: when your are publishing software from an app store based on the US, if your software contains cryptography you have to fill out some forms and it’s easier to get through them if your software doesn’t contain any custom encryption code, so all the cryptography is “standard” and handled by a library that comes with the OS.
What’s the problem with a fork of an MIT-licensed software again?
I see two main problems: Daniel’s name is all over the file copyright headers, and Microsoft directly links to his documentation, so I felt a dread about incoming support requests. This is compounded by the source not being publicly available (though not legally required), so he is helpless to provide support for this unknown configuration of an unknown version of the library.
The article is quite clear about this being ok license-wise?
I don’t think the problem is the fork of the code, it’s the use of the name that implies the connection to the upstream / plus links to the official docs is going to almost certainly result in a non-zero number of people hassling Daniel about bugs in xCurl.
Would’ve been better if they just used the code with a name that’s completely distinct with a nod to the upstream in their materials.