On Tue, Feb 22, 2022 at 5:00 PM Ben Cotton <bcotton(a)redhat.com> wrote:
== Summary ==
`libcurl-minimal` and `curl-minimal` will be installed by default
instead of `libcurl` and `curl`.
The "minimal" variants provide only a subset of protocols (HTTP, HTTPS, FTP).
Does it make sense to keep FTP with most browsers obsoleting the
protocol due to lack of security?
> The full versions can be explicitly requested as `libcurl-full` and `curl-full`.
> == Owner ==
> * Name: [[User:Zbyszek| Zbigniew Jędrzejewski-Szmek]]
> * Email: zbyszek at in.waw.pl
> * Name: [[User:Kdudka| Kamil Dudka]]
> * Email: kdudka at redhat.com
> == Detailed Description ==
> The `curl` package provides two sets of subpackages: `curl`+`libcurl`
> and `curl-minimal`+`libcurl+minimal`.
> `curl-minimal`+`libcurl-minimal` are compiled with various
> semi-obsolete protocols and infrequently-used features disabled:
> DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP,
> SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names.
> (Both variants support HTTP, HTTPS, and FTP.)
> `curl-minimal` has `Provides:curl` and `libcurl-minimal` has `Provides:libcurl`.
> This means that both sets can be used to satisfy a dependency on
> `curl` or `libcurl`.
> `curl` has the virtual `Provides:curl-full` and `libcurl` has the
> virtual `Provides:libcurl-full`.
> The user or another package can explicitly pull in the full variants,
> e.g. with `dnf install curl-full`
> or `Requires: libcurl-full`.
> With this change, `Suggests: libcurl-minimal` or `Suggests:
> curl-minimal` will be added to a few packages
> that already have a dependency on `libcurl` or `curl`.
> Currently, doing this for `systemd` and `rpm` is planned.
> Effectively, `dnf` will install the minimal variants, unless another
> package has a stronger dependency on the full variants.
> == Benefit to Fedora ==
> There are two separate motivations for this.
> Those infrequently used protocols are less tested than the common ones
> and are a source of security bugs.
> Most users are not using those protocols anyway, so disabling them
> reduces the bug and attack surface.
> (In fact, many applications already call `curl_easy_setopt(c,
> CURLOPT_PROTOCOLS, …)` to internally
> limit what protocols are supported. So even if `libcurl` is swapped
> for `libcurl-minimal` for many
> uses this will not be a difference.)
> The packages for the minimal variants are smaller:
> a trivial installation with `curl-minimal`+`libcurl+minimal` is 18 MB
> download, 57 MB installed size, 50 packages;
> the same with `curl-full` and `libcurl-full` is 21 MB download, 65
> installed size, 62 packages.
> Thus we save 8 MB, reducing the initial size by 12%.
> == Scope ==
> * Proposal owners:
> Create pull requests to add `Suggests: curl-minimal` or `Suggests:
> libcurl-minimal` as appropriate
> to packages which already require `curl` or `libcurl`: `rpm` and `systemd`.
> This means that any installation (which should be most of them) will
> get the minimal variants.
> * Other developers:
> For packages that use the full variants: add `Recommends: curl-full`
> or `Recommends: libcurl-full` or
> `Requires: curl-full` or `Requires: libcurl-full` as appropriate.
> * Release engineering:
> * Policies and guidelines: N/A (not needed for this Change)
> * Trademark approval: N/A (not needed for this Change)
> * Alignment with Objectives:
> == Upgrade/compatibility impact ==
> Users who use curl or another application which uses libcurl with the
> removed protocols will lose support for those protocols. They will
> need to explicitly install the full variants.
> == How To Test ==
> `dnf swap curl curl-minimal` or `dnf swap libcurl libcurl-minimal` and
> check that `curl` and other applications using `libcurl` still work.
> == User Experience ==
> This should be not be noticed by users, except as noted above in
> Upgrade/compatibility impact.
> == Dependencies ==
> == Contingency Plan ==
> Remove the additions of Suggests, or even add explicit Recommends or Requires.
> * Contingency deadline: any time, possibly even after the final release
> * Blocks release? No
> == Documentation ==
> This page should be enough.
> == Release Notes ==
> `curl-minimal` and `libcurl-minimal` are installed by default. The
> support for various obsolete protocols is unavailable by default
> through curl (DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP,
> SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names).
> Ben Cotton
> He / Him / His
> Fedora Program Manager
> Red Hat
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure