On Thu, Oct 14, 2021 at 09:52:59AM +0000, Zbigniew Jędrzejewski-Szmek wrote:
Hi Kamil and everyone,
what is the plan with introduction of libcurl-minimal in Fedora?
IIUC, libcurl and libcurl-minimal both have the same Provides, so libcurl-minimal
can be used to satisfy automatically generated dependencies:
$ dnf repoquery --provides libcurl-minimal
libcurl = 7.78.0-3.fc35
libcurl(x86-32) = 7.78.0-3.fc35
libcurl(x86-64) = 7.78.0-3.fc35
libcurl-minimal = 7.78.0-3.fc35
libcurl-minimal(x86-32) = 7.78.0-3.fc35
libcurl-minimal(x86-64) = 7.78.0-3.fc35
libcurl.so.4
libcurl.so.4()(64bit)
$ dnf repoquery --provides libcurl
libcurl = 7.78.0-3.fc35
libcurl(x86-32) = 7.78.0-3.fc35
libcurl(x86-64) = 7.78.0-3.fc35
libcurl-full = 7.78.0-3.fc35
libcurl-full(x86-32) = 7.78.0-3.fc35
libcurl-full(x86-64) = 7.78.0-3.fc35
libcurl.so.4
libcurl.so.4()(64bit)
What's the aim here? Small size on disk? General fear of having
insecure but unused protocols linked with programs?
It's a shame it has to be packaged this way. I got half way through
writing a curl handler (which I really must finish) and my impression
is that at a code level they are quite modular, so maybe upstream
would be interested in turning them into real loadable modules. Then
we could package each protocol ("curl-http.so") as a separate RPM
which is really best of all worlds.
In the meantime I'd like to encourage every program in Fedora that
uses curl to call CURLOPT_PROTOCOLS(3). This is a real defence
against remote exploits (CVE-2013-0249 was one that happened in qemu).
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html