Fedora Looks To Lighten Its Default Curl Packages

While curl and the cURL library are most commonly used for HTTP(S) and FTP usage, this widely-used software also supports a plethora of other network protocols. In order to save disk space by default and also exposing its cURL packages to less security bugs by default, Fedora is looking at shipping "minimal" versions by default of its cURL packages.

A change proposal has been submitted for Fedora 37 that would use libcurl-minimal and curl-minimal packages by default. The "minimal" cURL packages only expose HTTP / HTTPS / FTP support while those needing other network protocol support could install libcurl-full and curl-full for the entire suite of support.

cURL

The cURL packages disable a wide range of obsolete or rarely used protocols like DICT, GOPHER, IMAP, LDAP, LDAPS, MQTT, NTLM, POP3, RTSP, SMB, SMTP, SFTP, SCP, TELNET, TFTP, brotli compression, and IDN2 names. The emphasis with minimal cURL is to save disk space and reduce the security risk for all the rarely-used/deprecated protocols that are sometimes home to security bugs.

More details on this planned change for Fedora 37 later in the year can be found via the Fedora Wiki.