Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Fedora and curl-minimal
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Kamil Dudka via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 16 Mar 2022 14:24:03 +0100
Hi Patrick,
On Wednesday, March 16, 2022 12:50:56 PM CET Patrick Monnerat via curl-library wrote:
> On 3/16/22 08:56, Daniel Stenberg via curl-library wrote:
> > Hello friends,
> >
> > In case you missed this idea that popped up in the Fedora project, I
> > wrote up my take on it:
> >
> > https://daniel.haxx.se/blog/2022/03/16/fedora-and-curl-minimal/
>
> I did not follow the whole discussion about it but read the announcement
> on the fedora devel announce list.
>
> I don't like this idea and totally agree with your blog post.
>
> I presume they would remove it completely from the bare distro if it was
> possible, but they need it to support key components of the distro: the
> dnf installer and the abrt crash reporter. What is proposed as a
> "minimal" version is the strict necessary to support them (BTW: they do
> not mention the file:// protocol !).
our packaging of curl is fully public. Here is the list of protocols
and features that are currently disabled in the minimal installations:
https://src.fedoraproject.org/rpms/curl/blob/cd99025ff8e04abcbf1befe2c3ebefb6ad8df37f/f/curl.spec#_258
Please feel free to join the discussion about the technical details!
> To their credit, the security argument is not the only one: they also
> want to reduce external packages requirements. I can understand
> disabling things like brotli saves some (very tiny) resources without
> reducing the capabilities, but removing ntlm, smb and mail protocols
> doesn't spare a lot with regards to the resulting tool downgrade.
>
> What will be installed by default is not a utility anymore and will
> just, as you noted, force real users to manually install the full
> version :-(
Sure. If users want to use something, they need to install it first.
This is how packaging in Linux distributions works. The fact that the
curl tool is available by default on all installations of Fedora is just
a consequence of the fact that the `rpm` package itself depends on curl.
Not all Linux distributions have the curl tool installed by default.
> Regarding the security argument: we are very honest about our bugs and
> "advertise" them widely for the sake of our users (and I agree with
> this). Is it too much as it seems this plays against trust in curl in
> this case ? The reality is our (fixed) security flaws were far from
> prevalent and only a very few of them were practically exploitable.
>
> Patrick
This not about how curl upstream handles security issues really, which
I believe is really good compared to other projects. We already use
hardening compiler flags, SELinux, etc. to reduce potential impact of
security vulnerabilities. Not having installed anything that is not
strictly needed is just another building block of this puzzle.
Kamil
Date: Wed, 16 Mar 2022 14:24:03 +0100
Hi Patrick,
On Wednesday, March 16, 2022 12:50:56 PM CET Patrick Monnerat via curl-library wrote:
> On 3/16/22 08:56, Daniel Stenberg via curl-library wrote:
> > Hello friends,
> >
> > In case you missed this idea that popped up in the Fedora project, I
> > wrote up my take on it:
> >
> > https://daniel.haxx.se/blog/2022/03/16/fedora-and-curl-minimal/
>
> I did not follow the whole discussion about it but read the announcement
> on the fedora devel announce list.
>
> I don't like this idea and totally agree with your blog post.
>
> I presume they would remove it completely from the bare distro if it was
> possible, but they need it to support key components of the distro: the
> dnf installer and the abrt crash reporter. What is proposed as a
> "minimal" version is the strict necessary to support them (BTW: they do
> not mention the file:// protocol !).
our packaging of curl is fully public. Here is the list of protocols
and features that are currently disabled in the minimal installations:
https://src.fedoraproject.org/rpms/curl/blob/cd99025ff8e04abcbf1befe2c3ebefb6ad8df37f/f/curl.spec#_258
Please feel free to join the discussion about the technical details!
> To their credit, the security argument is not the only one: they also
> want to reduce external packages requirements. I can understand
> disabling things like brotli saves some (very tiny) resources without
> reducing the capabilities, but removing ntlm, smb and mail protocols
> doesn't spare a lot with regards to the resulting tool downgrade.
>
> What will be installed by default is not a utility anymore and will
> just, as you noted, force real users to manually install the full
> version :-(
Sure. If users want to use something, they need to install it first.
This is how packaging in Linux distributions works. The fact that the
curl tool is available by default on all installations of Fedora is just
a consequence of the fact that the `rpm` package itself depends on curl.
Not all Linux distributions have the curl tool installed by default.
> Regarding the security argument: we are very honest about our bugs and
> "advertise" them widely for the sake of our users (and I agree with
> this). Is it too much as it seems this plays against trust in curl in
> this case ? The reality is our (fixed) security flaws were far from
> prevalent and only a very few of them were practically exploitable.
>
> Patrick
This not about how curl upstream handles security issues really, which
I believe is really good compared to other projects. We already use
hardening compiler flags, SELinux, etc. to reduce potential impact of
security vulnerabilities. Not having installed anything that is not
strictly needed is just another building block of this puzzle.
Kamil
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-03-16