On 2/22/22 13:57, Chris Adams wrote: > Once upon a time, Ben Cotton <bcotton@xxxxxxxxxx> said: >> Those infrequently used protocols are less tested than the common ones >> and are a source of security bugs. >> Most users are not using those protocols anyway, so disabling them >> reduces the bug and attack surface. > > This is a poor argument IMHO. If the protocols are still going to be > shipped, they need to be maintained to the same level. There will be > things that want to use some other protocol and guides on the Internet > that say "for Fedora, install the full curl", so from a security > standpoint, the maintenance requirement is still the same. Reducing maintenance requirements is not the purpose of this change. The purpose is to reduce the likelihood that a user is compromised by a 0day or other vulnerability. The fewer people are impacted by a given vulnerability, the better. > Looking at the curl RPM changelog on F35, most CVE entries seem to be > TLS and/or HTTP(S) related, with a couple of TELNET and one MQTT. > Looking back to 2020, there were more TLS and a couple of FTP (which is > staying in the minimal build). > > If TELNET/etc. is a problem and not being maintained upstream, then just > drop TELNET. Don't shuffle it off to the side and ignore security > issues in a package still in the repos. As mentioned above, the purpose of this change is to ensure that vulnerabilities in obscure protocols impact a smaller fraction of users. Right now, a vulnerability in an obscure protocol impacts most users. With this change, it will only impact users that have installed the full version of curl. This is independent of whether a given protocol should be disabled outright. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
