On 3/16/22 08:56, Daniel Stenberg via curl-library wrote:
Hello friends,
In case you missed this idea that popped up in the Fedora project, I
wrote up my take on it:
https://daniel.haxx.se/blog/2022/03/16/fedora-and-curl-minimal/
I did not follow the whole discussion about it but read the announcement
on the fedora devel announce list.
I don't like this idea and totally agree with your blog post.
I presume they would remove it completely from the bare distro if it was
possible, but they need it to support key components of the distro: the
dnf installer and the abrt crash reporter. What is proposed as a
"minimal" version is the strict necessary to support them (BTW: they do
not mention the file:// protocol !).
To their credit, the security argument is not the only one: they also
want to reduce external packages requirements. I can understand
disabling things like brotli saves some (very tiny) resources without
reducing the capabilities, but removing ntlm, smb and mail protocols
doesn't spare a lot with regards to the resulting tool downgrade.
What will be installed by default is not a utility anymore and will
just, as you noted, force real users to manually install the full
version :-(
Regarding the security argument: we are very honest about our bugs and
"advertise" them widely for the sake of our users (and I agree with
this). Is it too much as it seems this plays against trust in curl in
this case ? The reality is our (fixed) security flaws were far from
prevalent and only a very few of them were practically exploitable.
Patrick
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html