Curl-minimal as default
curl-minimal will be installed by default instead of
The "minimal" variants provide only a subset of protocols (HTTP, HTTPS, FTP).
The full versions can be explicitly requested as
- Name: Zbigniew Jędrzejewski-Szmek, Kamil Dudka
- Email: zbyszek at in.waw.pl, kdudka at redhat.com
- Targeted release: Fedora Linux 37
- Last updated: 2022-03-10
- devel thread
- FESCo issue: #2768
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
curl package provides two sets of subpackages:
libcurl-minimal are compiled with various semi-obsolete protocols and infrequently-used features disabled:
DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names.
(Both variants support HTTP, HTTPS, and FTP.)
This means that both sets can be used to satisfy a dependency on
curl has the virtual
libcurl has the virtual
The user or another package can explicitly pull in the full variants, e.g. with
dnf install curl-full
With this change,
Suggests: libcurl-minimal or
Suggests: curl-minimal will be added to a few packages
that already have a dependency on
Currently, doing this for
rpm is planned.
dnf will install the minimal variants, unless another package has a stronger dependency on the full variants.
Benefit to Fedora
There are two separate motivations for this.
Those infrequently used protocols are less tested than the common ones and are a source of security bugs.
Most users are not using those protocols anyway, so disabling them reduces the bug and attack surface.
(In fact, many applications already call
curl_easy_setopt(c, CURLOPT_PROTOCOLS, …) to internally
limit what protocols are supported. So even if
libcurl is swapped for
libcurl-minimal for many
uses this will not be a difference.)
The packages for the minimal variants are smaller:
a trivial installation with
libcurl+minimal is 18 MB download, 57 MB installed size, 50 packages;
the same with
libcurl-full is 21 MB download, 65 installed size, 62 packages.
Thus we save 8 MB, reducing the initial size by 12%.
- Proposal owners:
Create pull requests to add
Suggests: curl-minimal or
Suggests: libcurl-minimal as appropriate
to packages which already require
This means that any installation (which should be most of them) will get the minimal variants.
- Other developers:
For packages that use the full variants: add
Recommends: curl-full or
Recommends: libcurl-full or
Requires: curl-full or
Requires: libcurl-full as appropriate.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Users who use curl or another application which uses libcurl with the removed protocols will lose support for those protocols. They will need to explicitly install the full variants.
Packages that require
libcurl-full at build time or run time will need to add
Requires: curl-full, or
Requires: libcurl-full as appropriate. Note that
libcurl-devel does not pull in
How To Test
dnf swap curl curl-minimal or
dnf swap libcurl libcurl-minimal and check that
curl and other applications using
libcurl still work.
This should be not be noticed by users, except as noted above in Upgrade/compatibility impact.
Remove the additions of Suggests, or even add explicit Recommends or Requires.
- Contingency deadline: any time, possibly even after the final release
- Blocks release? No
This page should be enough.
libcurl-minimal are installed by default. The support for various obsolete protocols is unavailable by default through curl (DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, IDN2 names).