From Fedora Project Wiki

< Changes

Revision as of 17:55, 15 February 2022 by Zbyszek (talk | contribs) (initial version)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Curl-minimal as default

Summary

libcurl-minimal and curl-minimal will be installed by default instead of libcurl and curl. The "minimal" variants provide only a subset of protocols (HTTP, HTTPS, FTP). The full versions can be explicitly requested as libcurl-full and curl-full.

Owner

Current status

  • Targeted release: Fedora Linux 37
  • Last updated: 2022-02-15
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The curl package provides two sets of subpackages: curl+libcurl and curl-minimal+libcurl+minimal. curl-minimal+libcurl-minimal are compiled with various semi-obsolete protocols and infrequently-used features disabled: DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names.

(Both variants support HTTP, HTTPS, and FTP.)

curl-minimal has Provides:curl and libcurl-minimal has Provides:libcurl. This means that both sets can be used to satisfy a dependency on curl or libcurl. curl has the virtual Provides:curl-full and libcurl has the virtual Provides:libcurl-full. The user or another package can explicitly pull in the full variants, e.g. with dnf install curl-full or Requires: libcurl-full. With this change, Suggests: libcurl-minimal or Suggests: curl-minimal will be added to a few packages that already have a dependency on libcurl or curl. Currently, doing this for systemd and rpm is planned. Effectively, dnf will install the minimal variants, unless another package has a stronger dependency on the full variants.

Feedback

Benefit to Fedora

There are two separate motivations for this.

Those infrequently used protocols are less tested than the common ones and are a source of security bugs. Most users are not using those protocols anyway, so disabling them reduces the bug and attack surface. (In fact, many applications already call curl_easy_setopt(c, CURLOPT_PROTOCOLS, …) to internally limit what protocols are supported. So even if libcurl is swapped for libcurl-minimal for many uses this will not be a difference.)

The packages for the minimal variants are smaller: a trivial installation with curl-minimal+libcurl+minimal is 18 MB download, 57 MB installed size, 50 packages; the same with curl-full and libcurl-full is 21 MB download, 65 installed size, 62 packages. Thus we save 8 MB, reducing the initial size by 12%.

Scope

  • Proposal owners:

Create pull requests to add Suggests: curl-minimal or Suggests: libcurl-minimal as appropriate to packages which already require curl or libcurl: rpm and systemd. This means that any installation (which should be most of them) will get the minimal variants.

  • Other developers:

For packages that use the full variants: add Recommends: curl-full or Recommends: libcurl-full or Requires: curl-full or Requires: libcurl-full as appropriate.

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: minimization

Upgrade/compatibility impact

Users who use curl or another application which uses libcurl with the removed protocols will lose support for those protocols. They will need to explicitly install the full variants.

How To Test

dnf swap curl curl-minimal or dnf swap libcurl libcurl-minimal and check that curl and other applications using libcurl still work.

User Experience

This should be not be noticed by users, except as noted above in Upgrade/compatibility impact.

Dependencies

Contingency Plan

Remove the additions of Suggests, or even add explicit Recommends or Requires.

  • Contingency deadline: any time, possibly even after the final release
  • Blocks release? No

Documentation

This page should be enough.

Release Notes

curl-minimal and libcurl-minimal are installed by default. The support for various obsolete protocols is unavailable by default through curl (DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names).

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/CurlMinimal_as_Default&oldid=636335"