On Sunday, October 17, 2021 2:40:05 PM CEST Steven Grubb wrote:
> On Sat, Oct 16, 2021 at 10:08 PM Kevin Kofler via devel <
>
> devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > Steve Grubb wrote:
> > > I'd like to suggest making libcurl-minimal very minimal for security
> > > reasons. The main curl package has many security issues (CVE's)
> > > constantly. But usually, the problem is in some obscure
> > > feature/protocol.
> > > Looking at the packages that depend on libcurl with rpmreaper, most
> > > would
> > > use http(s). There might be some that use another protocol. But clear
> >
> > text
> >
> > > protocols like telnet and ftp really don't have a use in today's
> >
> > internet.
> >
> > > Too many threats for clear text.
> >
> > I suspect that disabling FTP in libcurl is going to break a lot of stuff.
>
> I'd be curious, what package uses curl for it's FTP support?
>
> -Steve
For example dracut, dnf, and rpm seem to use FTP:
https://git.kernel.org/pub/scm/boot/dracut/dracut.git/tree/modules.d/45url-lib/url-lib.sh?h=055#n55
https://github.com/rpm-software-management/dnf/blob/f85cf313/dnf/repo.py#L636
https://github.com/rpm-software-management/rpm/blob/rpm-4.14.0-release/rpmio/url.c#L25
Kamil
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
