On Thursday, March 3, 2022 10:49:07 PM CET Richard W.M. Jones wrote:
> (1) I don't deny that curl-minimal will reduce the size of some niche
> containers, my point is this is not a worthwhile goal to pursue given
> the costs.
I am pretty sure there are Fedora installations not based on containers
where the installation footprint is also important.
> (2) Once people have unbroken their Fedora by installing curl-full,
> the security claims you make about compiled code paths are not
> applicable.
The users who install libcurl-full will have the same attack surface that
they have today. However, as pointed out by others, not all users will
install libcurl-full and those will be a priory unaffected by a portion
of the CVEs that we regularly deal with.
We are also tweaking the configuration of libcurl-minimal to ensure that
it can be used as a replacement for libcurl-full on the most common Fedora
installations. For example, the FTP protocol was left in libcurl-minimal
for now, despite the protocol is not optimal form security experts' point
of view, and libidn was enabled in libcurl-minimal last week:
https://src.fedoraproject.org/rpms/curl/c/cf3c14e4
Your suggestion to use CURLOPT_PROTOCOLS is a good idea and I fully support
it but it cannot be a replacement for libcurl-minimal because there is no
algorithmic way to decide whether all users of libcurl disable a problematic
protocol on all reachable code paths. The problem is in general undecidable.
Kamil
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
