On Thursday, October 14, 2021 3:27:03 PM CEST Steve Grubb wrote: > Hello, > > On Thursday, October 14, 2021 6:51:54 AM EDT Kamil Dudka wrote: > > > what is the plan with introduction of libcurl-minimal in Fedora? > > > > I proposed to use libcurl-minimal and curl-minimal in minimal base images > > > > half a year ago but there has been no reply so far: > > https://pagure.io/minimization/issue/25 > > I'd like to suggest making libcurl-minimal very minimal for security > reasons. The main curl package has many security issues (CVE's) constantly. > But usually, the problem is in some obscure feature/protocol. Looking at > the packages that depend on libcurl with rpmreaper, most would use http(s). > There might be some that use another protocol. But clear text protocols > like telnet and ftp really don't have a use in today's internet. Too many > threats for clear text. > > So with security in mind - and not solving excessive dependencies, I'd > suggest going very minimal. Just maybe 3 or 4 of the most used protocols by > things that require libcurl. > > Cheers, > -Steve Hi Steve, this is exactly what the following bug (filed by Jan Pazdziora) is about: https://bugzilla.redhat.com/2005874 The changes proposed in the above bug have already landed into Fedora Rawhide. As I understand it, Zbyszek is now proposing to make changes to other packages and/or distribution metadata in order to make (lib)curl-minimal actually used on some Fedora installations by default. Kamil _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
