|
|
Subscribe / Log in / New account

Fedora considers curl-minimal

Fedora considers curl-minimal

Posted Mar 10, 2022 8:42 UTC (Thu) by rwmj (subscriber, #5474)
Parent article: Fedora considers curl-minimal

It seems clear to me that the driver for this is some pointless competition where everyone tries to claim the crown of having the smallest base container. But container layers get cached - you only download them once - disks are cheap and networks are getting better. This isn't something we need.

to post comments

Fedora considers curl-minimal

Posted Mar 10, 2022 8:53 UTC (Thu) by SLi (subscriber, #53131) [Link] (4 responses)

I'm curious, why does it seem to be about size instead of the attack surface as explicitly stated?

Fedora considers curl-minimal

Posted Mar 10, 2022 9:01 UTC (Thu) by rwmj (subscriber, #5474) [Link] (3 responses)

If we are really serious about attack surface we should audit Fedora programs that use libcurl and make sure they are using CURLOPT_PROTOCOLS (https://curl.se/libcurl/c/CURLOPT_PROTOCOLS.html), because that is the only way to ensure that unwanted/exploitable curl modules are not invoked by redirects.

Fedora considers curl-minimal

Posted Mar 10, 2022 14:43 UTC (Thu) by smoogen (subscriber, #97) [Link]

The problem with auditing is the same as saying upstream should make curl modular. Someone has to step up and do the work and no one has (mainly because you then have to interact with N upstreams who may not see it as something they want to do either.) This seems to be the inevitable 'ok so no one has that energy, what can we do?' compromise.

Fedora considers curl-minimal

Posted Mar 14, 2022 14:43 UTC (Mon) by Paf (subscriber, #91811) [Link] (1 responses)

We could do that if we’re “serious about security”, or, being equally serious about security, we could do this. And then if someone ever installs something that isn’t packaged by Fedora, they would *also* benefit from this change if it doesn’t use that option correctly.

Yes, if we handle our footguns *correctly*, there’s no issue. There’s ongoing overhead and risk from their existence, but obviously, handled correctly, they’re fine. If they’re completely unnecessary - like most, though not all, of these protocols clearly are - we could also *stop shipping them by default*.

Fedora considers curl-minimal

Posted Mar 14, 2022 14:55 UTC (Mon) by rwmj (subscriber, #5474) [Link]

More likely if someone installs something not in Fedora and they have curl-minimal they'll be wondering why the package they just installed doesn't work.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds