On 2/22/22 16:47, Chris Adams wrote: > Once upon a time, Demi Marie Obenour <demiobenour@xxxxxxxxx> said: >> As mentioned above, the purpose of this change is to ensure that >> vulnerabilities in obscure protocols impact a smaller fraction of >> users. Right now, a vulnerability in an obscure protocol impacts >> most users. With this change, it will only impact users that have >> installed the full version of curl. This is independent of whether a >> given protocol should be disabled outright. > > I just feel that if there's enough security concern with some of the > code, then Fedora shouldn't ship that code. Either the code is secure > enough and maintained well enough to ship, or it's not. > > Otherwise, don't list this as a justification for the change proposal. Secure enough to ship ≠ secure enough to enable by default. Every piece of attack surface that can be removed from the default install is helpful. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
