|
|
Subscribe / Log in / New account

Fedora considers curl-minimal

Fedora considers curl-minimal

Posted Mar 14, 2022 15:00 UTC (Mon) by Paf (subscriber, #91811)
Parent article: Fedora considers curl-minimal

It’s just incredible to me that people seem to be arguing in favor of never deprecating *anything* by default in an internet facing program. Sure, the selected list seems too broad, possibly much too broad, but the idea that “respecting developer power” should trump anything else…. Or the repeated - in the comments here - detailed arguments about binary size, which the article and thread make clear is a non-concern…. It’s fun to have every protocol ever, sure, but if you want that it’s one package install away. One of the absolute best ways to reduce burden and improve security is *removing stuff*. Code that doesn’t exist has no bugs.

As for the Fedora thread, the idea that everyone is going to “unbreak Fedora by installing full curl”…. No, if the protocol list is reasonable (I agree this removal is too broad), 99+% of users (including developers) will *never notice there was a change*.

How many of you can honestly say you’ve needed curl to support something other than HTTP, HTTPS, FTP, SFTP, NTLM, brotli, and (I guess?) TFTP in the last decade? (IDN gets a pass for reasons cited in the article.) Not for fun - actually needed.

to post comments

Fedora considers curl-minimal

Posted Mar 14, 2022 18:45 UTC (Mon) by bagder (guest, #38414) [Link] (2 responses)

The curl project asks its users about these things in its annual survey. While that then is self-reported it certainly isn't an unquestionable truth, but probably the best what-features-in-curl-is-used numbers you can get.

The 2021 survey analysis is linked to from here: https://daniel.haxx.se/blog/2021/07/05/curl-user-survey-2...

Fedora considers curl-minimal

Posted Mar 15, 2022 12:29 UTC (Tue) by Paf (subscriber, #91811) [Link] (1 responses)

Given curls use in scripts and other tools used in installers, etc, I feel comfortable saying the user survey is massively *unrepresentative* of use.

Those interested enough in curl to take the survey are vastly more likely to use weird protocols.

In essence we see it has two lives:
A basic system component which is worked in to the fabric of other things, in which role it uses HTTP, HTTPS, and FTP to get stuff from the internet
A Swiss army utility protocol fiddler/translator for developers and admins

It doesn’t seem crazy these would be separate packages, given the risks posed to the (much larger) first group, and the minor burden introduced for the second group who know how to deal with it.

Fedora considers curl-minimal

Posted Mar 15, 2022 15:11 UTC (Tue) by amacater (subscriber, #790) [Link]

Curl is the "Oh dear, if that's the recommended way to get components for [Kubernetes/Open Stack/any other popular program], it's bound to be a world of hurt putting it all together" moment for me.

Maybe I've been insulated by living with distributions for too long but it's also very much a "don't trust anything that asks you to curl/wget stuff from random 'Net addresses" syndrome, I'm afraid.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds