On Tuesday, February 22, 2022 10:47:40 PM CET Chris Adams wrote: > Once upon a time, Demi Marie Obenour <demioben...@gmail.com> said: > > > As mentioned above, the purpose of this change is to ensure that > > vulnerabilities in obscure protocols impact a smaller fraction of > > users. Right now, a vulnerability in an obscure protocol impacts > > most users. With this change, it will only impact users that have > > installed the full version of curl. This is independent of whether a > > given protocol should be disabled outright. > > > I just feel that if there's enough security concern with some of the > code, then Fedora shouldn't ship that code. Either the code is secure > enough and maintained well enough to ship, or it's not.
With your line of reasoning, one could also disable all the hardening etc. Software security is not a black and white problem and terms like "secure enough" do not work in practice. Security policies rather work with terms like probability and impact. The lower those values are the better. Kamil > Otherwise, don't list this as a justification for the change proposal. > > -- > Chris Adams <li...@cmadams.net> _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure