On Thu, Mar 10, 2022 at 12:26:54PM +0100, Vitaly Zaitsev via devel wrote: > On 10/03/2022 11:55, Alex wrote: > > May I suggest to leave at least the telnet protocol in curl-minimal for > > debugging purposes. > > Telnet is an extremely vulnerable protocol. It must be disable. > > If you need it, you can always install libcurl-full.
Nicely illustrating the key tension of the libcurl-minimal vs libcurl-full split. If you want to use SFTP which is secure, you have to install libcurl-full, which brings in support for the horribly insecure Telnet protocol and more, increasing the attack surface for every application using curl, unless they set CURLOPT_PROTOCOLS, which most don't :-( Everyone has their own conflicting idea of what is 'minimal'. There's no nice way to solve this problem in Fedora without curl upstream supporting dlopen modules per protoocol, allowing us to package each protocol independantly. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
