Re: F37 Change: Curl-minimal as default (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/3/22 16:49, Richard W.M. Jones wrote:
> On Thu, Mar 03, 2022 at 08:14:20PM +0100, Kamil Dudka wrote:
>> On Thursday, March 3, 2022 3:24:38 PM CET Richard W.M. Jones wrote:
>>> On Thu, Mar 03, 2022 at 09:04:10AM +0100, Kamil Dudka wrote:
>>>> The FTP protocol is still included in libcurl-minimal, so the protocol is
>>>> not going to disappear with the proposed F37 change.  On the other
>>>> hand, it may happen that FTP will be unavailable by default in a year or
>>>> two.
>>>
>>>
>>> I'm still wondering what you're trying to achieve with this change.
>>>
>>> The stated benefits[1] are that the "minimal variants are smaller",
>>> which is a non-goal for almost everyone.  And something to do with
>>> security which will be immediately negated once everyone unbreaks
>>> their Fedora by installing curl-full.  And the security angle would be
>>> better fixed by reviewing Fedora packages for correct use of
>>> CURLOPT_PROTOCOLS (see my other email[2]).
>>>
>>> Rich.
>>>
>>> [1] https://fedoraproject.org/wiki/Changes/CurlMinimal_as_Default#Benefit_to_Fedora
>>> [2] ttps://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/7PQUPLCEQ5NMXFXZTP75XYDNF5KAJHMI/
>>
>> I answered both your questions back in October 2021:
>>
>>     https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/ZZMU36DFRSDJOIJJ75CLF45R6GDVSEYI/
> 
> FTR you didn't actually answer the points there.
> 
> (1) I don't deny that curl-minimal will reduce the size of some niche
> containers, my point is this is not a worthwhile goal to pursue given
> the costs.
> 
> (2) Once people have unbroken their Fedora by installing curl-full,
> the security claims you make about compiled code paths are not
> applicable.
Not everyone will need to install curl-full!  One of my VMs only has
curl-minimal and works fine for my uses.  Another approach would be to
limit CURLOPT_REDIR_PROTOCOLS by default; I doubt many people are using
redirects to protocols other than HTTP or HTTPS.  However, these are
independent of each other.

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux