On 2/22/22 16:47, Chris Adams wrote:
Once upon a time, Demi Marie Obenour <demiobenour(a)gmail.com>
said:
> As mentioned above, the purpose of this change is to ensure that
> vulnerabilities in obscure protocols impact a smaller fraction of
> users. Right now, a vulnerability in an obscure protocol impacts
> most users. With this change, it will only impact users that have
> installed the full version of curl. This is independent of whether a
> given protocol should be disabled outright.
I just feel that if there's enough security concern with some of the
code, then Fedora shouldn't ship that code. Either the code is secure
enough and maintained well enough to ship, or it's not.
Otherwise, don't list this as a justification for the change proposal.
Secure enough to ship ≠ secure enough to enable by default. Every
piece of attack surface that can be removed from the default install
is helpful.
--
Sincerely,
Demi Marie Obenour (she/her/hers)