Bug 1967213 - disable metalink support in curl
Summary: disable metalink support in curl
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: curl
Version: 9.0
Hardware: All
OS: Linux
high
high
Target Milestone: beta
: 9.0 Beta
Assignee: Kamil Dudka
QA Contact: Daniel Rusek
Prerana Sharma
URL:
Whiteboard:
Depends On:
Blocks: 1967221
TreeView+ depends on / blocked
 
Reported: 2021-06-02 15:56 UTC by Kamil Dudka
Modified: 2021-12-07 21:26 UTC (History)
2 users (show)

Fixed In Version: curl-7.76.1-5.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1967216 1967221 (view as bug list)
Environment:
Last Closed: 2021-12-07 21:24:13 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Kamil Dudka 2021-06-02 15:56:56 UTC 
Description of problem:
Today curl upstream announced that they are going to completely remove support for metalink from curl already in the next release of curl due to a number of difficult to fix security issues:

    https://curl.se/mail/archive-2021-06/0006.html
    https://github.com/curl/curl/pull/7176

I believe it is not too late to follow this decision in RHEL-9, too.  We could hardly support it ourselves till RHEL-9 EOL when it is broken and unsupported upstream since the beginning.


Version-Release number of selected component (if applicable):
curl-7.76.1-4.el9


Steps to Reproduce:
1. curl -V | grep -i metalink


Additional info:
We might want to do the same with wget and consider removing libmetalink, which seems to be dead upstream:

    https://launchpad.net/libmetalink

I will file separate bugs for wget and libmetalink for consideration.
Comment 1 Kamil Dudka 2021-06-02 17:56:15 UTC 
Fedora commit: https://src.fedoraproject.org/rpms/curl/c/ddaf41062c974e64f5ce0b74825174554c80f7ad?branch=rawhide
Note You need to log in before you can comment on or make changes to this bug.