On 3/3/22 16:49, Richard W.M. Jones wrote: > On Thu, Mar 03, 2022 at 08:14:20PM +0100, Kamil Dudka wrote: >> On Thursday, March 3, 2022 3:24:38 PM CET Richard W.M. Jones wrote: >>> On Thu, Mar 03, 2022 at 09:04:10AM +0100, Kamil Dudka wrote: >>>> The FTP protocol is still included in libcurl-minimal, so the protocol is >>>> not going to disappear with the proposed F37 change. On the other >>>> hand, it may happen that FTP will be unavailable by default in a year or >>>> two. >>> >>> >>> I'm still wondering what you're trying to achieve with this change. >>> >>> The stated benefits[1] are that the "minimal variants are smaller", >>> which is a non-goal for almost everyone. And something to do with >>> security which will be immediately negated once everyone unbreaks >>> their Fedora by installing curl-full. And the security angle would be >>> better fixed by reviewing Fedora packages for correct use of >>> CURLOPT_PROTOCOLS (see my other email[2]). >>> >>> Rich. >>> >>> [1] https://fedoraproject.org/wiki/Changes/CurlMinimal_as_Default#Benefit_to_Fedora >>> [2] ttps://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/7PQUPLCEQ5NMXFXZTP75XYDNF5KAJHMI/ >> >> I answered both your questions back in October 2021: >> >> https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/ZZMU36DFRSDJOIJJ75CLF45R6GDVSEYI/ > > FTR you didn't actually answer the points there. > > (1) I don't deny that curl-minimal will reduce the size of some niche > containers, my point is this is not a worthwhile goal to pursue given > the costs. > > (2) Once people have unbroken their Fedora by installing curl-full, > the security claims you make about compiled code paths are not > applicable. Not everyone will need to install curl-full! One of my VMs only has curl-minimal and works fine for my uses. Another approach would be to limit CURLOPT_REDIR_PROTOCOLS by default; I doubt many people are using redirects to protocols other than HTTP or HTTPS. However, these are independent of each other. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
