Once upon a time, Ben Cotton <[email protected]> said: > Those infrequently used protocols are less tested than the common ones > and are a source of security bugs. > Most users are not using those protocols anyway, so disabling them > reduces the bug and attack surface.
This is a poor argument IMHO. If the protocols are still going to be shipped, they need to be maintained to the same level. There will be things that want to use some other protocol and guides on the Internet that say "for Fedora, install the full curl", so from a security standpoint, the maintenance requirement is still the same. Looking at the curl RPM changelog on F35, most CVE entries seem to be TLS and/or HTTP(S) related, with a couple of TELNET and one MQTT. Looking back to 2020, there were more TLS and a couple of FTP (which is staying in the minimal build). If TELNET/etc. is a problem and not being maintained upstream, then just drop TELNET. Don't shuffle it off to the side and ignore security issues in a package still in the repos. -- Chris Adams <[email protected]> _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
