On Thu, Mar 10, 2022 at 6:49 AM Daniel P. Berrangé <berrange(a)redhat.com> wrote:
On Thu, Mar 10, 2022 at 12:26:54PM +0100, Vitaly Zaitsev via devel wrote:
> On 10/03/2022 11:55, Alex wrote:
> > May I suggest to leave at least the telnet protocol in curl-minimal for
> > debugging purposes.
> Telnet is an extremely vulnerable protocol. It must be disable.
> If you need it, you can always install libcurl-full.
Nicely illustrating the key tension of the libcurl-minimal vs libcurl-full
If you want to use SFTP which is secure, you have to install libcurl-full,
which brings in support for the horribly insecure Telnet protocol and more,
increasing the attack surface for every application using curl, unless
they set CURLOPT_PROTOCOLS, which most don't :-(
Everyone has their own conflicting idea of what is 'minimal'. There's
no nice way to solve this problem in Fedora without curl upstream
supporting dlopen modules per protoocol, allowing us to package each
Has anyone asked upstream about that yet?
真実はいつも一つ！/ Always, there's only one truth!