On Fri, Sep 16, 2016 at 2:03 PM, Ken Dreyer <kdre...@redhat.com> wrote:
> Hi Casey,
> That warning message tells users to upgrade to a new version of
> libcurl. Telling users to upgrade to a newer version of a base system
> package like that sets the user on a trajectory to have to maintain
> their own curl packages forever, decreasing the security of their
> overall system in the long run. For example ceph.com itself shipped a
> newer el6 curl package for a while in "ceph-extras", until it fell of
> everyone's radar, no one updated it, and it had many outstanding CVEs
> until we finally dropped el6 support altogether.

I got the details wrong here - in ceph-extras, it was qemu-kvm on el6
that had a bunch of unfixed security issues, and on Fedora it was
libcurl :)

- Ken
ceph-users mailing list

Reply via email to