Hello, On Thursday, October 14, 2021 6:51:54 AM EDT Kamil Dudka wrote: > > what is the plan with introduction of libcurl-minimal in Fedora? > > I proposed to use libcurl-minimal and curl-minimal in minimal base images > half a year ago but there has been no reply so far: > > https://pagure.io/minimization/issue/25 I'd like to suggest making libcurl-minimal very minimal for security reasons. The main curl package has many security issues (CVE's) constantly. But usually, the problem is in some obscure feature/protocol. Looking at the packages that depend on libcurl with rpmreaper, most would use http(s). There might be some that use another protocol. But clear text protocols like telnet and ftp really don't have a use in today's internet. Too many threats for clear text. So with security in mind - and not solving excessive dependencies, I'd suggest going very minimal. Just maybe 3 or 4 of the most used protocols by things that require libcurl. Cheers, -Steve _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
