On Tue, Feb 22, 2022 at 5:00 PM Ben Cotton <bcot...@redhat.com> wrote:
>
> https://fedoraproject.org/wiki/Changes/CurlMinimal_as_Default
>
> == Summary ==
> `libcurl-minimal` and `curl-minimal` will be installed by default
> instead of `libcurl` and `curl`.
> The "minimal" variants provide only a subset of protocols (HTTP, HTTPS, FTP).

Does it make sense to keep FTP with most browsers obsoleting the
protocol due to lack of security?

> The full versions can be explicitly requested as `libcurl-full` and 
> `curl-full`.
>
> == Owner ==
> * Name: [[User:Zbyszek| Zbigniew Jędrzejewski-Szmek]]
> * Email: zbyszek at in.waw.pl
> * Name: [[User:Kdudka| Kamil Dudka]]
> * Email: kdudka at redhat.com
>
>
> == Detailed Description ==
>
> The `curl` package provides two sets of subpackages: `curl`+`libcurl`
> and `curl-minimal`+`libcurl+minimal`.
> `curl-minimal`+`libcurl-minimal` are compiled with various
> semi-obsolete protocols and infrequently-used features disabled:
> DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP,
> SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names.
>
> (Both variants support HTTP, HTTPS, and FTP.)
>
> `curl-minimal` has `Provides:curl` and `libcurl-minimal` has 
> `Provides:libcurl`.
> This means that both sets can be used to satisfy a dependency on
> `curl` or `libcurl`.
> `curl` has the virtual `Provides:curl-full` and `libcurl` has the
> virtual `Provides:libcurl-full`.
> The user or another package can explicitly pull in the full variants,
> e.g. with `dnf install curl-full`
> or `Requires: libcurl-full`.
> With this change, `Suggests: libcurl-minimal` or `Suggests:
> curl-minimal` will be added to a few packages
> that already have a dependency on `libcurl` or `curl`.
> Currently, doing this for `systemd` and `rpm` is planned.
> Effectively, `dnf` will install the minimal variants, unless another
> package has a stronger dependency on the full variants.
>
>
> == Benefit to Fedora ==
> There are two separate motivations for this.
>
> Those infrequently used protocols are less tested than the common ones
> and are a source of security bugs.
> Most users are not using those protocols anyway, so disabling them
> reduces the bug and attack surface.
> (In fact, many applications already call `curl_easy_setopt(c,
> CURLOPT_PROTOCOLS, …)` to internally
> limit what protocols are supported. So even if `libcurl` is swapped
> for `libcurl-minimal` for many
> uses this will not be a difference.)
>
> The packages for the minimal variants are smaller:
> a trivial installation with `curl-minimal`+`libcurl+minimal` is 18 MB
> download, 57 MB installed size, 50 packages;
> the same with `curl-full` and  `libcurl-full` is 21 MB download, 65
> installed size, 62 packages.
> Thus we save 8 MB, reducing the initial size by 12%.
>
> == Scope ==
> * Proposal owners:
> Create pull requests to add `Suggests: curl-minimal` or `Suggests:
> libcurl-minimal` as appropriate
> to packages which already require `curl` or `libcurl`: `rpm` and `systemd`.
> This means that any installation (which should be most of them) will
> get the minimal variants.
>
> * Other developers:
> For packages that use the full variants: add `Recommends: curl-full`
> or `Recommends: libcurl-full` or
> `Requires: curl-full` or `Requires: libcurl-full` as appropriate.
>
> * Release engineering:
> * Policies and guidelines: N/A (not needed for this Change)
> * Trademark approval: N/A (not needed for this Change)
> * Alignment with Objectives:
>
> == Upgrade/compatibility impact ==
> Users who use curl or another application which uses libcurl with the
> removed protocols will lose support for those protocols. They will
> need to explicitly install the full variants.
>
> == How To Test ==
> `dnf swap curl curl-minimal` or `dnf swap libcurl libcurl-minimal` and
> check that `curl` and other applications using `libcurl` still work.
>
> == User Experience ==
> This should be not be noticed by users, except as noted above in
> Upgrade/compatibility impact.
>
> == Dependencies ==
>
> == Contingency Plan ==
>
> Remove the additions of Suggests, or even add explicit Recommends or Requires.
> * Contingency deadline: any time, possibly even after the final release
> * Blocks release? No
>
> == Documentation ==
> This page should be enough.
>
> == Release Notes ==
> `curl-minimal` and `libcurl-minimal` are installed by default. The
> support for various obsolete protocols is unavailable by default
> through curl (DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP,
> SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names).
>
>
> --
> Ben Cotton
> He / Him / His
> Fedora Program Manager
> Red Hat
> TZ=America/Indiana/Indianapolis
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to