On 3/16/22 08:56, Daniel Stenberg via curl-library wrote:
Hello friends,

In case you missed this idea that popped up in the Fedora project, I wrote up my take on it:

  https://daniel.haxx.se/blog/2022/03/16/fedora-and-curl-minimal/

I did not follow the whole discussion about it but read the announcement on the fedora devel announce list.

I don't like this idea and totally agree with your blog post.

I presume they would remove it completely from the bare distro if it was possible, but they need it to support key components of the distro: the dnf installer and the abrt crash reporter. What is proposed as a "minimal" version is the strict necessary to support them (BTW: they do not mention the file:// protocol !).

To their credit, the security argument is not the only one: they also want to reduce external packages requirements. I can understand disabling things like brotli saves some (very tiny) resources without reducing the capabilities, but removing ntlm, smb and mail protocols doesn't spare a lot with regards to the resulting tool downgrade.

What will be installed by default is not a utility anymore and will just, as you noted, force real users to manually install the full version :-(

Regarding the security argument: we are very honest about our bugs and "advertise" them widely for the sake of our users (and I agree with this). Is it too much as it seems this plays against trust in curl in this case ? The reality is our (fixed) security flaws were far from prevalent and only a very few of them were practically exploitable.

Patrick

--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to