On Thursday, March 3, 2022 10:49:07 PM CET Richard W.M. Jones wrote:
(1) I don't deny that curl-minimal will reduce the size of some
niche
containers, my point is this is not a worthwhile goal to pursue given
the costs.
I am pretty sure there are Fedora installations not based on containers
where the installation footprint is also important.
(2) Once people have unbroken their Fedora by installing curl-full,
the security claims you make about compiled code paths are not
applicable.
The users who install libcurl-full will have the same attack surface that
they have today. However, as pointed out by others, not all users will
install libcurl-full and those will be a priory unaffected by a portion
of the CVEs that we regularly deal with.
We are also tweaking the configuration of libcurl-minimal to ensure that
it can be used as a replacement for libcurl-full on the most common Fedora
installations. For example, the FTP protocol was left in libcurl-minimal
for now, despite the protocol is not optimal form security experts' point
of view, and libidn was enabled in libcurl-minimal last week:
https://src.fedoraproject.org/rpms/curl/c/cf3c14e4
Your suggestion to use CURLOPT_PROTOCOLS is a good idea and I fully support
it but it cannot be a replacement for libcurl-minimal because there is no
algorithmic way to decide whether all users of libcurl disable a problematic
protocol on all reachable code paths. The problem is in general undecidable.
Kamil