On Thursday, October 14, 2021 3:27:03 PM CEST Steve Grubb wrote:
> Hello,
>
> On Thursday, October 14, 2021 6:51:54 AM EDT Kamil Dudka wrote:
> > > what is the plan with introduction of libcurl-minimal in Fedora?
> >
> > I proposed to use libcurl-minimal and curl-minimal in minimal base images
> >
> > half a year ago but there has been no reply so far:
> > https://pagure.io/minimization/issue/25
>
> I'd like to suggest making libcurl-minimal very minimal for security
> reasons. The main curl package has many security issues (CVE's) constantly.
> But usually, the problem is in some obscure feature/protocol. Looking at
> the packages that depend on libcurl with rpmreaper, most would use http(s).
> There might be some that use another protocol. But clear text protocols
> like telnet and ftp really don't have a use in today's internet. Too many
> threats for clear text.
>
> So with security in mind - and not solving excessive dependencies, I'd
> suggest going very minimal. Just maybe 3 or 4 of the most used protocols by
> things that require libcurl.
>
> Cheers,
> -Steve
Hi Steve,
this is exactly what the following bug (filed by Jan Pazdziora) is about:
https://bugzilla.redhat.com/2005874
The changes proposed in the above bug have already landed into Fedora Rawhide.
As I understand it, Zbyszek is now proposing to make changes to other packages
and/or distribution metadata in order to make (lib)curl-minimal actually used
on some Fedora installations by default.
Kamil
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
