(initial version) |
(Change rejected by FESCo) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 9: | Line 9: | ||
== Owner == | == Owner == | ||
* Name: [[User:Zbyszek| Zbigniew Jędrzejewski-Szmek]] | * Name: [[User:Zbyszek| Zbigniew Jędrzejewski-Szmek]], [[User:Kdudka| Kamil Dudka]] | ||
* Email: zbyszek at in.waw.pl, kdudka at redhat.com | |||
* Email: kdudka at redhat.com | |||
== Current status == | == Current status == | ||
Line 32: | Line 30: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* FESCo issue: | * [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/SH5WAIBVF7GVSKL2VPMSQKY7BB4QYEB5/ devel thread] | ||
* FESCo issue: [https://pagure.io/fesco/issue/2768 #2768] | |||
* Tracker bug: <will be assigned by the Wrangler> | * Tracker bug: <will be assigned by the Wrangler> | ||
* Release notes tracker: <will be assigned by the Wrangler> | * Release notes tracker: <will be assigned by the Wrangler> | ||
Line 91: | Line 90: | ||
<!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://pagure.io/Fedora-Council/tickets/issues ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. --> | <!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://pagure.io/Fedora-Council/tickets/issues ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. --> | ||
* Alignment with Objectives: | * Alignment with Objectives: | ||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
Users who use curl or another application which uses libcurl with the removed protocols will lose support for those protocols. They will need to explicitly install the full variants. | Users who use curl or another application which uses libcurl with the removed protocols will lose support for those protocols. They will need to explicitly install the full variants. | ||
Packages that require `curl-full` or `libcurl-full` at build time or run time will need to add `BuildRequires: curl-full`, `BuildRequires: libcurl-full`, `Requires: curl-full`, or `Requires: libcurl-full` as appropriate. Note that `libcurl-devel` does ''not'' pull in `libcurl-full`. | |||
== How To Test == | == How To Test == |
Latest revision as of 16:38, 10 March 2022
Curl-minimal as default
Summary
libcurl-minimal
and curl-minimal
will be installed by default instead of libcurl
and curl
.
The "minimal" variants provide only a subset of protocols (HTTP, HTTPS, FTP).
The full versions can be explicitly requested as libcurl-full
and curl-full
.
Owner
- Name: Zbigniew Jędrzejewski-Szmek, Kamil Dudka
- Email: zbyszek at in.waw.pl, kdudka at redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-03-10
- devel thread
- FESCo issue: #2768
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
The curl
package provides two sets of subpackages: curl
+libcurl
and curl-minimal
+libcurl+minimal
.
curl-minimal
+libcurl-minimal
are compiled with various semi-obsolete protocols and infrequently-used features disabled:
DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names.
(Both variants support HTTP, HTTPS, and FTP.)
curl-minimal
has Provides:curl
and libcurl-minimal
has Provides:libcurl
.
This means that both sets can be used to satisfy a dependency on curl
or libcurl
.
curl
has the virtual Provides:curl-full
and libcurl
has the virtual Provides:libcurl-full
.
The user or another package can explicitly pull in the full variants, e.g. with dnf install curl-full
or Requires: libcurl-full
.
With this change, Suggests: libcurl-minimal
or Suggests: curl-minimal
will be added to a few packages
that already have a dependency on libcurl
or curl
.
Currently, doing this for systemd
and rpm
is planned.
Effectively, dnf
will install the minimal variants, unless another package has a stronger dependency on the full variants.
Feedback
Benefit to Fedora
There are two separate motivations for this.
Those infrequently used protocols are less tested than the common ones and are a source of security bugs.
Most users are not using those protocols anyway, so disabling them reduces the bug and attack surface.
(In fact, many applications already call curl_easy_setopt(c, CURLOPT_PROTOCOLS, …)
to internally
limit what protocols are supported. So even if libcurl
is swapped for libcurl-minimal
for many
uses this will not be a difference.)
The packages for the minimal variants are smaller:
a trivial installation with curl-minimal
+libcurl+minimal
is 18 MB download, 57 MB installed size, 50 packages;
the same with curl-full
and libcurl-full
is 21 MB download, 65 installed size, 62 packages.
Thus we save 8 MB, reducing the initial size by 12%.
Scope
- Proposal owners:
Create pull requests to add Suggests: curl-minimal
or Suggests: libcurl-minimal
as appropriate
to packages which already require curl
or libcurl
: rpm
and systemd
.
This means that any installation (which should be most of them) will get the minimal variants.
- Other developers:
For packages that use the full variants: add Recommends: curl-full
or Recommends: libcurl-full
or
Requires: curl-full
or Requires: libcurl-full
as appropriate.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
Users who use curl or another application which uses libcurl with the removed protocols will lose support for those protocols. They will need to explicitly install the full variants.
Packages that require curl-full
or libcurl-full
at build time or run time will need to add BuildRequires: curl-full
, BuildRequires: libcurl-full
, Requires: curl-full
, or Requires: libcurl-full
as appropriate. Note that libcurl-devel
does not pull in libcurl-full
.
How To Test
dnf swap curl curl-minimal
or dnf swap libcurl libcurl-minimal
and check that curl
and other applications using libcurl
still work.
User Experience
This should be not be noticed by users, except as noted above in Upgrade/compatibility impact.
Dependencies
Contingency Plan
Remove the additions of Suggests, or even add explicit Recommends or Requires.
- Contingency deadline: any time, possibly even after the final release
- Blocks release? No
Documentation
This page should be enough.
Release Notes
curl-minimal
and libcurl-minimal
are installed by default. The support for various obsolete protocols is unavailable by default through curl (DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names).