curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Fedora and curl-minimal

From: Kamil Dudka via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 17 Mar 2022 08:34:30 +0100

On Thursday, March 17, 2022 3:32:45 AM CET Henrik Holst wrote:
> Another point when it comes to security is that if the version of curl
> provided by the distro does not support the protocols the user needs (and
> sorry for my ignorance here since I do not know if Fedora also have another
> "fuller" curl package so I'm speaking in more general terms here) then many
> end users will simply download the source from upstream, do the make &&
> make install dance and move on, extremely few of them will ever update this
> version so IMHO security becomes worse. True that the distro itself haven't
> gotten worse security by this but the end result is still lots of insecure
> installs.
>
> /HH

I am not sure where this confusion comes from. The build of libcurl with the
original configuration is *not* going away from Fedora. The libcurl-minimal
subpackage was introduced back in 2017:

    https://src.fedoraproject.org/rpms/curl/c/9b62c3ea

The solution was presented on the curl-up 2018 conference and nobody from curl
upstream has ever mentioned it would be a bad idea:

    https://kdudka.fedorapeople.org/curlup18-kdudka.pdf

Users of Fedora can choose themselves which build of libcurl they will use.
On a system where libcurl-minimal is already installed, they can upgrade to
the feature-rich build of curl with just one command:

    # yum install --allowerasing libcurl-full

The effort to switch the default in Fedora, which was rejected anyway, was
driven by the Fedora Minimization Objective (nothing specific to curl really):

    https://docs.fedoraproject.org/en-US/minimization/

Gentoo's ebuild of curl has more than 30 use flags, where most of them are
disabled by default. So the curl features are not available to Gentoo users
until they rebuild curl with the corresponding use flags enabled, and nobody
freaks out about it.

Kamil


-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2022-03-17