On Fri, Sep 16, 2016 at 2:03 PM, Ken Dreyer <kdre...@redhat.com> wrote: > Hi Casey, > > That warning message tells users to upgrade to a new version of > libcurl. Telling users to upgrade to a newer version of a base system > package like that sets the user on a trajectory to have to maintain > their own curl packages forever, decreasing the security of their > overall system in the long run. For example ceph.com itself shipped a > newer el6 curl package for a while in "ceph-extras", until it fell of > everyone's radar, no one updated it, and it had many outstanding CVEs > until we finally dropped el6 support altogether. >
I got the details wrong here - in ceph-extras, it was qemu-kvm on el6 that had a bunch of unfixed security issues, and on Fedora it was libcurl :) - Ken _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
