curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Fedora and curl-minimal

From: Patrick Monnerat via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 16 Mar 2022 12:50:56 +0100

On 3/16/22 08:56, Daniel Stenberg via curl-library wrote:
> Hello friends,
>
> In case you missed this idea that popped up in the Fedora project, I
> wrote up my take on it:
>
>   https://daniel.haxx.se/blog/2022/03/16/fedora-and-curl-minimal/
>
I did not follow the whole discussion about it but read the announcement
on the fedora devel announce list.

I don't like this idea and totally agree with your blog post.

I presume they would remove it completely from the bare distro if it was
possible, but they need it to support key components of the distro: the
dnf installer and the abrt crash reporter. What is proposed as a
"minimal" version is the strict necessary to support them (BTW: they do
not mention the file:// protocol !).

To their credit, the security argument is not the only one: they also
want to reduce external packages requirements. I can understand
disabling things like brotli saves some (very tiny) resources without
reducing the capabilities, but removing ntlm, smb and mail protocols
doesn't spare a lot with regards to the resulting tool downgrade.

What will be installed by default is not a utility anymore and will
just, as you noted, force real users to manually install the full
version :-(

Regarding the security argument: we are very honest about our bugs and
"advertise" them widely for the sake of our users (and I agree with
this). Is it too much as it seems this plays against trust in curl in
this case ? The reality is our (fixed) security flaws were far from
prevalent and only a very few of them were practically exploitable.

Patrick

-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2022-03-16