On 3/3/22 16:49, Richard W.M. Jones wrote:
On Thu, Mar 03, 2022 at 08:14:20PM +0100, Kamil Dudka wrote:
On Thursday, March 3, 2022 3:24:38 PM CET Richard W.M. Jones wrote:
On Thu, Mar 03, 2022 at 09:04:10AM +0100, Kamil Dudka wrote:
The FTP protocol is still included in libcurl-minimal, so the protocol is not going to disappear with the proposed F37 change. On the other hand, it may happen that FTP will be unavailable by default in a year or two.
I'm still wondering what you're trying to achieve with this change.
The stated benefits[1] are that the "minimal variants are smaller", which is a non-goal for almost everyone. And something to do with security which will be immediately negated once everyone unbreaks their Fedora by installing curl-full. And the security angle would be better fixed by reviewing Fedora packages for correct use of CURLOPT_PROTOCOLS (see my other email[2]).
Rich.
[1] https://fedoraproject.org/wiki/Changes/CurlMinimal_as_Default#Benefit_to_Fed... [2] ttps://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/7PQUPLCEQ5NMXFXZTP75XYDNF5KAJHMI/
I answered both your questions back in October 2021:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/ZZMU36DFRSDJOIJJ75CLF45R6GDVSEYI/
FTR you didn't actually answer the points there.
(1) I don't deny that curl-minimal will reduce the size of some niche containers, my point is this is not a worthwhile goal to pursue given the costs.
(2) Once people have unbroken their Fedora by installing curl-full, the security claims you make about compiled code paths are not applicable.
Not everyone will need to install curl-full! One of my VMs only has curl-minimal and works fine for my uses. Another approach would be to limit CURLOPT_REDIR_PROTOCOLS by default; I doubt many people are using redirects to protocols other than HTTP or HTTPS. However, these are independent of each other.