On Thu, Oct 14, 2021 at 09:52:59AM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> Hi Kamil and everyone,
>
> what is the plan with introduction of libcurl-minimal in Fedora?
> IIUC, libcurl and libcurl-minimal both have the same Provides, so
> libcurl-minimal
> can be used to satisfy automatically generated dependencies:
>
> $ dnf repoquery --provides libcurl-minimal
> libcurl = 7.78.0-3.fc35
> libcurl(x86-32) = 7.78.0-3.fc35
> libcurl(x86-64) = 7.78.0-3.fc35
> libcurl-minimal = 7.78.0-3.fc35
> libcurl-minimal(x86-32) = 7.78.0-3.fc35
> libcurl-minimal(x86-64) = 7.78.0-3.fc35
> libcurl.so.4
> libcurl.so.4()(64bit)
> $ dnf repoquery --provides libcurl
> libcurl = 7.78.0-3.fc35
> libcurl(x86-32) = 7.78.0-3.fc35
> libcurl(x86-64) = 7.78.0-3.fc35
> libcurl-full = 7.78.0-3.fc35
> libcurl-full(x86-32) = 7.78.0-3.fc35
> libcurl-full(x86-64) = 7.78.0-3.fc35
> libcurl.so.4
> libcurl.so.4()(64bit)
What's the aim here? Small size on disk? General fear of having
insecure but unused protocols linked with programs?
It's a shame it has to be packaged this way. I got half way through
writing a curl handler (which I really must finish) and my impression
is that at a code level they are quite modular, so maybe upstream
would be interested in turning them into real loadable modules. Then
we could package each protocol ("curl-http.so") as a separate RPM
which is really best of all worlds.
In the meantime I'd like to encourage every program in Fedora that
uses curl to call CURLOPT_PROTOCOLS(3). This is a real defence
against remote exploits (CVE-2013-0249 was one that happened in qemu).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
