On Saturday, October 16, 2021 5:32:17 PM CEST Richard W.M. Jones wrote:
> On Thu, Oct 14, 2021 at 09:52:59AM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> > Hi Kamil and everyone,
> >
> > what is the plan with introduction of libcurl-minimal in Fedora?
> > IIUC, libcurl and libcurl-minimal both have the same Provides, so
> > libcurl-minimal can be used to satisfy automatically generated
> > dependencies:
> >
> > $ dnf repoquery --provides libcurl-minimal
> > libcurl = 7.78.0-3.fc35
> > libcurl(x86-32) = 7.78.0-3.fc35
> > libcurl(x86-64) = 7.78.0-3.fc35
> > libcurl-minimal = 7.78.0-3.fc35
> > libcurl-minimal(x86-32) = 7.78.0-3.fc35
> > libcurl-minimal(x86-64) = 7.78.0-3.fc35
> > libcurl.so.4
> > libcurl.so.4()(64bit)
> > $ dnf repoquery --provides libcurl
> > libcurl = 7.78.0-3.fc35
> > libcurl(x86-32) = 7.78.0-3.fc35
> > libcurl(x86-64) = 7.78.0-3.fc35
> > libcurl-full = 7.78.0-3.fc35
> > libcurl-full(x86-32) = 7.78.0-3.fc35
> > libcurl-full(x86-64) = 7.78.0-3.fc35
> > libcurl.so.4
> > libcurl.so.4()(64bit)
>
> What's the aim here? Small size on disk? General fear of having
> insecure but unused protocols linked with programs?
Both. The size reduction is, of course, more significant when you count
the libraries that are directly or indirectly pulled in by the rarely used
protocols or features of (lib)curl.
The decision whether a security issue applies to a certain deployment is often
not driven by experts with deep technical knowledge of projects like curl.
An argument that a protocol is normally not used by a program, or that the
protocol is disabled on almost all code paths, may appear less compelling to
the decision makers than if the code in question was simply not compiled in.
> It's a shame it has to be packaged this way. I got half way through
> writing a curl handler (which I really must finish) and my impression
> is that at a code level they are quite modular, so maybe upstream
> would be interested in turning them into real loadable modules. Then
> we could package each protocol ("curl-http.so") as a separate RPM
> which is really best of all worlds.
That might be an alternative with all its pros and cons. But it is simply
not available now and nobody is working on it, as far as I know.
> In the meantime I'd like to encourage every program in Fedora that
> uses curl to call CURLOPT_PROTOCOLS(3). This is a real defence
> against remote exploits (CVE-2013-0249 was one that happened in qemu).
Yes, that makes sense.
Kamil
> Rich.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
