fix: Add zlib/libzstd to base-debian13 image

[rinsuki]

because OpenSSL 3.2+ uses those libraries to support TLS Certificate Compression, OpenSSL now requires zlib and libzstd (see https://packages.debian.org/trixie/libssl3t64 ).

without this change, user need to add zlib/libzstd manually in their Dockerfile for use OpenSSL, otherwise they would get errors like libzstd.so.1: cannot open shared object file: No such file or directory.

see:

• https://salsa.debian.org/debian/openssl/-/commit/ca7e7b08746d408da112fe63d5a3bf941c345ec0

(note: Debian disables brotil compression so we don't need brotil libraries at this time, see https://salsa.debian.org/debian/openssl/-/commit/26109eddd699cce5c3aecb42ec1c5178cbde7d84 )

This should fix #1887 and other comments, e.g.

• Support for Debian13 #1826 (comment)
• debian 13 to do #1851 (comment)

p.s. I couldn't run the full test suite since I dont have a enough free space to run that.

[gemini-code-assist]

Summary of Changes

Hello @rinsuki, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the base-debian13 Docker image to include essential compression libraries, zlib and libzstd, along with the openssl-provider-legacy package. This is crucial because newer versions of OpenSSL (3.2+) now depend on these libraries for TLS Certificate Compression, and their absence was causing runtime errors for users. The changes ensure that the base image provides a complete environment for applications relying on modern OpenSSL features.

Highlights

• Dependency Addition: Added zlib1g, libzstd1, and openssl-provider-legacy to the base-debian13 image. This ensures OpenSSL 3.2+ functions correctly by providing necessary libraries for TLS Certificate Compression.
• Issue Resolution: This change addresses common errors like libzstd.so.1: cannot open shared object file: No such file or directory that users encountered when OpenSSL required these libraries.
• Package Refactoring: Moved zlib1g from the cc/config.bzl package list to the base/config.bzl for debian13, centralizing its inclusion as a core dependency.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds zlib1g and libzstd1 to the base-debian13 image, as they are now required dependencies for OpenSSL 3.2+ for TLS certificate compression. The zlib1g package is also correctly moved from the cc image packages to the base image packages to ensure it's available in the base and avoid duplication. The changes are consistent across the configuration files and the generated lock files. I've added a couple of minor suggestions to improve maintainability by sorting the new package lists alphabetically.

[gemini-code-assist]

For better maintainability and consistency, it's good practice to keep package lists sorted alphabetically. Could you please sort these packages? This would also align with the suggested change in base/config.bzl.

  - libzstd1
  - openssl-provider-legacy
  - zlib1g

[rinsuki]

What I Tested:

Previously (gcr.io/distroless/cc-debian13:nonroot@sha256:2e14174aa2ffeb547d1beaf8a6b72ba2721965be790c0f5541d699980dc64fa8), my private app (which is built with Rust and uses OpenSSL) doesn't work (error: error while loading shared libraries: libzstd.so.1: cannot open shared object file: No such file or directory)

After change base image to this patch (//cc:cc_nonroot_arm64_debian13), my Rust app works fine without shared libraries error.

[loosebazooka]

I think this looks fine mostly.

[loosebazooka]

I'd prefer not to include legacy algorithms

[rinsuki]

done @ b3bb521

[loosebazooka]

Thanks! I'll merge this when tests pass