I've been playing with jrb's Jammypup & F96-CE. I noticed (particularly) Curl is quite outdated.
I am unsure of the best procedure for replacement, as current versions are compiled with gnutls.
I have usually compiled Curl with openssl only. No errors emanate & gnutls has way too many
dependencies for me to update it.
Am I opening up a security hole if I remove libgnutls-curl & Curl, & then replace them with
updated Curl compiled with just openssl?
Curl question
-
- Posts: 1400
- Joined: Sun Jul 12, 2020 2:38 am
- Location: S.E. Australia
- Has thanked: 213 times
- Been thanked: 617 times
Curl question
-
- Posts: 852
- Joined: Wed Aug 19, 2020 5:43 pm
- Location: Edinburgh
- Has thanked: 531 times
- Been thanked: 234 times
- Contact:
Re: Curl question
It's impossible for me answer a YES / NO question when talking about puppy.
In my oppinion, removing libgnutls-curl and replacing curl with an updated version compiled with OpenSSL should not be necessarily a security hole, but it may have implications for other software on your system that depends on these libraries. It's important to carefully consider the dependencies and potential impact of any changes before making them, but I think there is no problem in trying.
Make a security copy of your system, and start trying... You should consider that the version of Curl you are using is up-to-date and has no known vulnerabilities. Good starts usually gives good results.....
Enjoy this weekend.- CHEERS
~
F96CE_XFCE_FUSILLI ====> https://puppyxfcefusilli.wordpress.com/
Re: Curl question
@ozsouth
If you do decide to implement this change ........... which branch of OpenSSL would you be utilising?
Support for 1.1.1 ends on September 11.
Also, remember it also needs to be updated in the DevX as well.
-
- Posts: 1400
- Joined: Sun Jul 12, 2020 2:38 am
- Location: S.E. Australia
- Has thanked: 213 times
- Been thanked: 617 times
Re: Curl question
@pp4mnklinux - Having done this before, nothing SEEMS to be yelping about missing libs, but my worry
is that if something depends on libgnutls-curl for security, I might unknowingly have an issue.
Conversely, if I leave it there, the new curl version is a mismatch - also a potential issue.
@Jasper - in Jammypup, I'm using openssl 3.0.2. Thanks for the devx reminder - I'd forgotten.
Since the current Jammypup Curl (7.81) is dated 5 Jan 2022, maybe better overall to leave it alone.
Re: Curl question
Ubuntu 22.04 sticks to a certain curl version and Canonical backports fixes for security issues from later versions, when vulnerabilities affect this older version too. LTS means sticking to an old version and backporting bug and security fixes for 5 years, not constantly updating to the latest curl for 5 years.
You're not necessarily using a more secure curl if you're updating, especially if you're not constantly chasing the latest version and applying all security patches queued for the next curl release.
Re: Curl question
@ozsouth
I took a gamble and tried it and it worked(99%...lol)
Puppy Linux is so flexible as an OS, I am always surprised and I am genuinely grateful to all that work behind the scene
BTW ..... the kernel 6.2xx is deprecated...... I know your on a sabbatical