Once upon a time, Ben Cotton <bcotton(a)redhat.com> said:
Those infrequently used protocols are less tested than the common
ones
and are a source of security bugs.
Most users are not using those protocols anyway, so disabling them
reduces the bug and attack surface.
This is a poor argument IMHO. If the protocols are still going to be
shipped, they need to be maintained to the same level. There will be
things that want to use some other protocol and guides on the Internet
that say "for Fedora, install the full curl", so from a security
standpoint, the maintenance requirement is still the same.
Looking at the curl RPM changelog on F35, most CVE entries seem to be
TLS and/or HTTP(S) related, with a couple of TELNET and one MQTT.
Looking back to 2020, there were more TLS and a couple of FTP (which is
staying in the minimal build).
If TELNET/etc. is a problem and not being maintained upstream, then just
drop TELNET. Don't shuffle it off to the side and ignore security
issues in a package still in the repos.
--
Chris Adams <linux(a)cmadams.net>