https://fedoraproject.org/wiki/Changes/CurlMinimal_as_Default == Summary == `libcurl-minimal` and `curl-minimal` will be installed by default instead of `libcurl` and `curl`. The "minimal" variants provide only a subset of protocols (HTTP, HTTPS, FTP). The full versions can be explicitly requested as `libcurl-full` and `curl-full`. == Owner == * Name: [[User:Zbyszek| Zbigniew Jędrzejewski-Szmek]] * Email: zbyszek at in.waw.pl * Name: [[User:Kdudka| Kamil Dudka]] * Email: kdudka at redhat.com == Detailed Description == The `curl` package provides two sets of subpackages: `curl`+`libcurl` and `curl-minimal`+`libcurl+minimal`. `curl-minimal`+`libcurl-minimal` are compiled with various semi-obsolete protocols and infrequently-used features disabled: DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names. (Both variants support HTTP, HTTPS, and FTP.) `curl-minimal` has `Provides:curl` and `libcurl-minimal` has `Provides:libcurl`. This means that both sets can be used to satisfy a dependency on `curl` or `libcurl`. `curl` has the virtual `Provides:curl-full` and `libcurl` has the virtual `Provides:libcurl-full`. The user or another package can explicitly pull in the full variants, e.g. with `dnf install curl-full` or `Requires: libcurl-full`. With this change, `Suggests: libcurl-minimal` or `Suggests: curl-minimal` will be added to a few packages that already have a dependency on `libcurl` or `curl`. Currently, doing this for `systemd` and `rpm` is planned. Effectively, `dnf` will install the minimal variants, unless another package has a stronger dependency on the full variants. == Benefit to Fedora == There are two separate motivations for this. Those infrequently used protocols are less tested than the common ones and are a source of security bugs. Most users are not using those protocols anyway, so disabling them reduces the bug and attack surface. (In fact, many applications already call `curl_easy_setopt(c, CURLOPT_PROTOCOLS, …)` to internally limit what protocols are supported. So even if `libcurl` is swapped for `libcurl-minimal` for many uses this will not be a difference.) The packages for the minimal variants are smaller: a trivial installation with `curl-minimal`+`libcurl+minimal` is 18 MB download, 57 MB installed size, 50 packages; the same with `curl-full` and `libcurl-full` is 21 MB download, 65 installed size, 62 packages. Thus we save 8 MB, reducing the initial size by 12%. == Scope == * Proposal owners: Create pull requests to add `Suggests: curl-minimal` or `Suggests: libcurl-minimal` as appropriate to packages which already require `curl` or `libcurl`: `rpm` and `systemd`. This means that any installation (which should be most of them) will get the minimal variants. * Other developers: For packages that use the full variants: add `Recommends: curl-full` or `Recommends: libcurl-full` or `Requires: curl-full` or `Requires: libcurl-full` as appropriate. * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == Users who use curl or another application which uses libcurl with the removed protocols will lose support for those protocols. They will need to explicitly install the full variants. == How To Test == `dnf swap curl curl-minimal` or `dnf swap libcurl libcurl-minimal` and check that `curl` and other applications using `libcurl` still work. == User Experience == This should be not be noticed by users, except as noted above in Upgrade/compatibility impact. == Dependencies == == Contingency Plan == Remove the additions of Suggests, or even add explicit Recommends or Requires. * Contingency deadline: any time, possibly even after the final release * Blocks release? No == Documentation == This page should be enough. == Release Notes == `curl-minimal` and `libcurl-minimal` are installed by default. The support for various obsolete protocols is unavailable by default through curl (DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names). -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
