Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Fedora and curl-minimal
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Patrick Monnerat via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 16 Mar 2022 12:50:56 +0100
On 3/16/22 08:56, Daniel Stenberg via curl-library wrote:
> Hello friends,
>
> In case you missed this idea that popped up in the Fedora project, I
> wrote up my take on it:
>
> https://daniel.haxx.se/blog/2022/03/16/fedora-and-curl-minimal/
>
I did not follow the whole discussion about it but read the announcement
on the fedora devel announce list.
I don't like this idea and totally agree with your blog post.
I presume they would remove it completely from the bare distro if it was
possible, but they need it to support key components of the distro: the
dnf installer and the abrt crash reporter. What is proposed as a
"minimal" version is the strict necessary to support them (BTW: they do
not mention the file:// protocol !).
To their credit, the security argument is not the only one: they also
want to reduce external packages requirements. I can understand
disabling things like brotli saves some (very tiny) resources without
reducing the capabilities, but removing ntlm, smb and mail protocols
doesn't spare a lot with regards to the resulting tool downgrade.
What will be installed by default is not a utility anymore and will
just, as you noted, force real users to manually install the full
version :-(
Regarding the security argument: we are very honest about our bugs and
"advertise" them widely for the sake of our users (and I agree with
this). Is it too much as it seems this plays against trust in curl in
this case ? The reality is our (fixed) security flaws were far from
prevalent and only a very few of them were practically exploitable.
Patrick
Date: Wed, 16 Mar 2022 12:50:56 +0100
On 3/16/22 08:56, Daniel Stenberg via curl-library wrote:
> Hello friends,
>
> In case you missed this idea that popped up in the Fedora project, I
> wrote up my take on it:
>
> https://daniel.haxx.se/blog/2022/03/16/fedora-and-curl-minimal/
>
I did not follow the whole discussion about it but read the announcement
on the fedora devel announce list.
I don't like this idea and totally agree with your blog post.
I presume they would remove it completely from the bare distro if it was
possible, but they need it to support key components of the distro: the
dnf installer and the abrt crash reporter. What is proposed as a
"minimal" version is the strict necessary to support them (BTW: they do
not mention the file:// protocol !).
To their credit, the security argument is not the only one: they also
want to reduce external packages requirements. I can understand
disabling things like brotli saves some (very tiny) resources without
reducing the capabilities, but removing ntlm, smb and mail protocols
doesn't spare a lot with regards to the resulting tool downgrade.
What will be installed by default is not a utility anymore and will
just, as you noted, force real users to manually install the full
version :-(
Regarding the security argument: we are very honest about our bugs and
"advertise" them widely for the sake of our users (and I agree with
this). Is it too much as it seems this plays against trust in curl in
this case ? The reality is our (fixed) security flaws were far from
prevalent and only a very few of them were practically exploitable.
Patrick
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-03-16