On Thu, Mar 10, 2022 at 6:49 AM Daniel P. Berrangé <berra...@redhat.com> wrote: > > On Thu, Mar 10, 2022 at 12:26:54PM +0100, Vitaly Zaitsev via devel wrote: > > On 10/03/2022 11:55, Alex wrote: > > > May I suggest to leave at least the telnet protocol in curl-minimal for > > > debugging purposes. > > > > Telnet is an extremely vulnerable protocol. It must be disable. > > > > If you need it, you can always install libcurl-full. > > Nicely illustrating the key tension of the libcurl-minimal vs libcurl-full > split. > > If you want to use SFTP which is secure, you have to install libcurl-full, > which brings in support for the horribly insecure Telnet protocol and more, > increasing the attack surface for every application using curl, unless > they set CURLOPT_PROTOCOLS, which most don't :-( > > Everyone has their own conflicting idea of what is 'minimal'. There's > no nice way to solve this problem in Fedora without curl upstream > supporting dlopen modules per protoocol, allowing us to package each > protocol independantly. >
Has anyone asked upstream about that yet? -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
