F37 Change: Curl-minimal as default (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://fedoraproject.org/wiki/Changes/CurlMinimal_as_Default

== Summary ==
`libcurl-minimal` and `curl-minimal` will be installed by default
instead of `libcurl` and `curl`.
The "minimal" variants provide only a subset of protocols (HTTP, HTTPS, FTP).
The full versions can be explicitly requested as `libcurl-full` and `curl-full`.

== Owner ==
* Name: [[User:Zbyszek| Zbigniew Jędrzejewski-Szmek]]
* Email: zbyszek at in.waw.pl
* Name: [[User:Kdudka| Kamil Dudka]]
* Email: kdudka at redhat.com


== Detailed Description ==

The `curl` package provides two sets of subpackages: `curl`+`libcurl`
and `curl-minimal`+`libcurl+minimal`.
`curl-minimal`+`libcurl-minimal` are compiled with various
semi-obsolete protocols and infrequently-used features disabled:
DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP,
SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names.

(Both variants support HTTP, HTTPS, and FTP.)

`curl-minimal` has `Provides:curl` and `libcurl-minimal` has `Provides:libcurl`.
This means that both sets can be used to satisfy a dependency on
`curl` or `libcurl`.
`curl` has the virtual `Provides:curl-full` and `libcurl` has the
virtual `Provides:libcurl-full`.
The user or another package can explicitly pull in the full variants,
e.g. with `dnf install curl-full`
or `Requires: libcurl-full`.
With this change, `Suggests: libcurl-minimal` or `Suggests:
curl-minimal` will be added to a few packages
that already have a dependency on `libcurl` or `curl`.
Currently, doing this for `systemd` and `rpm` is planned.
Effectively, `dnf` will install the minimal variants, unless another
package has a stronger dependency on the full variants.


== Benefit to Fedora ==
There are two separate motivations for this.

Those infrequently used protocols are less tested than the common ones
and are a source of security bugs.
Most users are not using those protocols anyway, so disabling them
reduces the bug and attack surface.
(In fact, many applications already call `curl_easy_setopt(c,
CURLOPT_PROTOCOLS, …)` to internally
limit what protocols are supported. So even if `libcurl` is swapped
for `libcurl-minimal` for many
uses this will not be a difference.)

The packages for the minimal variants are smaller:
a trivial installation with `curl-minimal`+`libcurl+minimal` is 18 MB
download, 57 MB installed size, 50 packages;
the same with `curl-full` and  `libcurl-full` is 21 MB download, 65
installed size, 62 packages.
Thus we save 8 MB, reducing the initial size by 12%.

== Scope ==
* Proposal owners:
Create pull requests to add `Suggests: curl-minimal` or `Suggests:
libcurl-minimal` as appropriate
to packages which already require `curl` or `libcurl`: `rpm` and `systemd`.
This means that any installation (which should be most of them) will
get the minimal variants.

* Other developers:
For packages that use the full variants: add `Recommends: curl-full`
or `Recommends: libcurl-full` or
`Requires: curl-full` or `Requires: libcurl-full` as appropriate.

* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:

== Upgrade/compatibility impact ==
Users who use curl or another application which uses libcurl with the
removed protocols will lose support for those protocols. They will
need to explicitly install the full variants.

== How To Test ==
`dnf swap curl curl-minimal` or `dnf swap libcurl libcurl-minimal` and
check that `curl` and other applications using `libcurl` still work.

== User Experience ==
This should be not be noticed by users, except as noted above in
Upgrade/compatibility impact.

== Dependencies ==

== Contingency Plan ==

Remove the additions of Suggests, or even add explicit Recommends or Requires.
* Contingency deadline: any time, possibly even after the final release
* Blocks release? No

== Documentation ==
This page should be enough.

== Release Notes ==
`curl-minimal` and `libcurl-minimal` are installed by default. The
support for various obsolete protocols is unavailable by default
through curl (DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP,
SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names).


-- 
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux