Hello,
On Thursday, October 14, 2021 6:51:54 AM EDT Kamil Dudka wrote:
> what is the plan with introduction of libcurl-minimal in
Fedora?
I proposed to use libcurl-minimal and curl-minimal in minimal base images
half a year ago but there has been no reply so far:
https://pagure.io/minimization/issue/25
I'd like to suggest making libcurl-minimal very minimal for security reasons.
The main curl package has many security issues (CVE's) constantly. But
usually, the problem is in some obscure feature/protocol. Looking at the
packages that depend on libcurl with rpmreaper, most would use http(s). There
might be some that use another protocol. But clear text protocols like telnet
and ftp really don't have a use in today's internet. Too many threats for
clear text.
So with security in mind - and not solving excessive dependencies, I'd
suggest going very minimal. Just maybe 3 or 4 of the most used protocols by
things that require libcurl.
Cheers,
-Steve