On Saturday, October 16, 2021 5:32:17 PM CEST Richard W.M. Jones wrote:
On Thu, Oct 14, 2021 at 09:52:59AM +0000, Zbigniew Jędrzejewski-Szmek
wrote:
> Hi Kamil and everyone,
>
> what is the plan with introduction of libcurl-minimal in Fedora?
> IIUC, libcurl and libcurl-minimal both have the same Provides, so
> libcurl-minimal can be used to satisfy automatically generated
> dependencies:
>
> $ dnf repoquery --provides libcurl-minimal
> libcurl = 7.78.0-3.fc35
> libcurl(x86-32) = 7.78.0-3.fc35
> libcurl(x86-64) = 7.78.0-3.fc35
> libcurl-minimal = 7.78.0-3.fc35
> libcurl-minimal(x86-32) = 7.78.0-3.fc35
> libcurl-minimal(x86-64) = 7.78.0-3.fc35
> libcurl.so.4
> libcurl.so.4()(64bit)
> $ dnf repoquery --provides libcurl
> libcurl = 7.78.0-3.fc35
> libcurl(x86-32) = 7.78.0-3.fc35
> libcurl(x86-64) = 7.78.0-3.fc35
> libcurl-full = 7.78.0-3.fc35
> libcurl-full(x86-32) = 7.78.0-3.fc35
> libcurl-full(x86-64) = 7.78.0-3.fc35
> libcurl.so.4
> libcurl.so.4()(64bit)
What's the aim here? Small size on disk? General fear of having
insecure but unused protocols linked with programs?
Both. The size reduction is, of course, more significant when you count
the libraries that are directly or indirectly pulled in by the rarely used
protocols or features of (lib)curl.
The decision whether a security issue applies to a certain deployment is often
not driven by experts with deep technical knowledge of projects like curl.
An argument that a protocol is normally not used by a program, or that the
protocol is disabled on almost all code paths, may appear less compelling to
the decision makers than if the code in question was simply not compiled in.
It's a shame it has to be packaged this way. I got half way
through
writing a curl handler (which I really must finish) and my impression
is that at a code level they are quite modular, so maybe upstream
would be interested in turning them into real loadable modules. Then
we could package each protocol ("curl-http.so") as a separate RPM
which is really best of all worlds.
That might be an alternative with all its pros and cons. But it is simply
not available now and nobody is working on it, as far as I know.
In the meantime I'd like to encourage every program in Fedora
that
uses curl to call CURLOPT_PROTOCOLS(3). This is a real defence
against remote exploits (CVE-2013-0249 was one that happened in qemu).
Yes, that makes sense.
Kamil
Rich.