On Thursday, October 14, 2021 3:27:03 PM CEST Steve Grubb wrote:
On Thursday, October 14, 2021 6:51:54 AM EDT Kamil Dudka wrote:
> > what is the plan with introduction of libcurl-minimal in Fedora?
> I proposed to use libcurl-minimal and curl-minimal in minimal base images
> half a year ago but there has been no reply so far:
I'd like to suggest making libcurl-minimal very minimal for security
reasons. The main curl package has many security issues (CVE's) constantly.
But usually, the problem is in some obscure feature/protocol. Looking at
the packages that depend on libcurl with rpmreaper, most would use http(s).
There might be some that use another protocol. But clear text protocols
like telnet and ftp really don't have a use in today's internet. Too many
threats for clear text.
So with security in mind - and not solving excessive dependencies, I'd
suggest going very minimal. Just maybe 3 or 4 of the most used protocols by
things that require libcurl.
this is exactly what the following bug (filed by Jan Pazdziora) is about:
The changes proposed in the above bug have already landed into Fedora Rawhide.
As I understand it, Zbyszek is now proposing to make changes to other packages
and/or distribution metadata in order to make (lib)curl-minimal actually used
on some Fedora installations by default.