net-misc/curl: enable multiple ssl implementations #16592
Conversation
Signed-off-by: Tom Gillespie <tgbugs@gmail.com>
Pull Request assignmentSubmitter: @tgbugs net-misc/curl: @blueness Linked bugsNo bugs to link found. If your pull request references any of the Gentoo bug reports, please add appropriate GLEP 66 tags to the commit message and request reassignment. If you do not receive any reply to this pull request, please open or link a bug to attract the attention of maintainers. In order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
gentoo-bot
added
assigned
|
Some thoughts on what to do about other packages that make use of CURL_SSL are in these two commit messages. Reproduced here as well. I think the right solution is to just use Added REQUIRE_USE on the curl_ssl_* options and change = to ? so that we |
|
I looked over this and it looks like it should work. Have you tested thoroughly? |
|
I'm in the process of running a grid of tests over all the possible default backends except for libressl (I don't have a convenient environment with it installed instead of openssl) with Also the change from CURL_SSL allowing a single value to CURL_SSL allowing multiple values will block emerge for any users that set |
|
I was able to sort out the the issue with the use flags, it has more to do with unintuitive behavior of setting edit: looks like adding CURL_DEFAULT_SSL="openssl" in profiles/base/make.defaults is the right solution here, and it may make sense to add CURL_SSL="openssl" to make.defaults as well rather than setting edit edit: unfortunately it looks like using make.defaults still requires the user to set |
|
Testing on amd64 with CURL_DEFAULT_SSL set to openssl, gnutls, nss, and mbedtls I have encountered only a single error which is a mismatch between the features of curl and curl-config when using mbedtls as the default backend. I think two additional things need to happen at this point. First we have to run the addition of CURL_DEFAULT_SSL USE_EXPAND by the dev mailing list, and two there needs to be a news item written to explain the change in behavior. HOWEVER I think this is not the end of the story because many packages that make use of CURL_SSL have broken dependency rules which try to force openssl to only have a single backend enabled (it seems likely that that should never have been done in the first place, but I don't know the exact history). I do not think that this would block this pr from being merged though, especially given that nearly every library that makes use of the CURL_SSL flags has a note that says "if curl changes you need to rebuild this too". As a side note all of these tests were also conducted with curl built using distcc in case that is of interest to anyone. Another side note is that the default backend does not have to be included in CURL_SSL, it will be enabled, but it |
Pull request CI reportReport generated at: 2020-07-09 20:16 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
|
What is the status of this work? |
|
If there are no objections to the approach from anyone here then, this pr by itself is ready I think, but I don't think we need a news item immediately, maybe once other ebuilds are updated to allow multiple backends, but for now the new behavior is backwards compatible with any existing configs, so it shouldn't break existing systems. That said, until other ebuilds using In words, users should only set a single backend globally until the other ebuilds using CURL_SSL are updated to reflect the change. |
|
Let me get another reviewer to look at this to see if this might cause other problems. |
net-misc/curl/curl-7.71.1-r1.ebuild
Outdated
| curl_ssl_winssl? ( elibc_Winnt ) | ||
| threads? ( !adns ) | ||
| ssl? ( | ||
| curl_ssl_libressl? ( !curl_ssl_openssl ) |
There was a problem hiding this comment.
Can we use this as an opportunity to eliminate this artifical libressl/openssl switch, and start using USE=libressl like every other package? It might also make sense to eliminate CURL_SSL if they are no longer mutually exclusive. In fact, it might be cleaner to just use regular flags for the newfangled multi-backend thingie and CURL_SSL for the default backend which is roughly the old behavior.
There was a problem hiding this comment.
I like this suggestion a lot. Except for the usual libressl/openssl issue none of the backends are mutually exclusive. I think we may not even need CURL_SSL anymore once the rest of the ebuilds using it have been migrated. They would be able to make use of any global use flag that is set (e.g. USE=gnutls). For packages that currently use CURL_SSL and still need the SSL backends to be mutually exclusive I think we can transition them to the standard pattern for that that is used elsewhere. I think it is much more in line with how things work now and more consistent with how use flags are supposed to work generally. I will take a pass at implementing it.
There was a problem hiding this comment.
I added CURL_SSL at the suggestion of another dev and have regretted ever since. Maybe we can take care of one issue at a time though to not confuse the matter.
net-misc/curl/curl-7.71.1-r1.ebuild
Outdated
| einfo "SSL provided by gnutls" | ||
| myconf+=( --with-gnutls --with-nettle ) | ||
| fi | ||
| if use curl_ssl_libressl || use curl_default_ssl_libressl; then |
There was a problem hiding this comment.
You don't really need two separate LibreSSL/OpenSSL blocks because both do the same.
There was a problem hiding this comment.
I left them this way in the event that at some point in the future there might be a need to handle them differently. If you think that won't ever happen then I can remove the duplicate block.
net-misc/curl/curl-7.71.1-r1.ebuild
Outdated
| if use curl_default_ssl_gnutls; then | ||
| einfo "Default SSL provided by gnutls" | ||
| myconf+=( --with-default-ssl-backend=gnutls ) | ||
| elif use curl_default_ssl_libressl; then |
profiles/desc/curl_default_ssl.desc
Outdated
| @@ -0,0 +1,11 @@ | |||
| # Copyright 1999-2020 Gentoo Foundation. | |||
There was a problem hiding this comment.
We do 'Gentoo Authors' nowadays.
There was a problem hiding this comment.
I will update curl_ssl.desc while I'm at it since that is where that line came from.
profiles/desc/curl_default_ssl.desc
Outdated
|
|
||
| # This file contains descriptions of CURL_DEFAULT_SSL USE_EXPAND flags for net-misc/curl | ||
|
|
||
| gnutls - Use GnuTLS |
There was a problem hiding this comment.
These should explain what happens when you set them, i.e. what's the diff between 'default' and 'multi' target thingie.
profiles/desc/curl_default_ssl.desc
Outdated
| mbedtls - Use mbed TLS | ||
| nss - Use Mozilla's Network Security Services | ||
| openssl - Use OpenSSL | ||
| winssl - Use WinSSL (only with elibc_Winnt) |
There was a problem hiding this comment.
Please fix your editor to leave trailing newlines.
There was a problem hiding this comment.
I think that was actually me doing it manually since I was confused by why nss and winssl had them in the first place. I will avoid doing so in the future. For the record do you know the reason they are present?
There was a problem hiding this comment.
Try cat file on a file without trailing newline.
There was a problem hiding this comment.
Oof. Yeah. Will fix. I usually see in commits that I add newlines to the end of files that don't have them rather than remove them so this case is egregiously bad, will see what is going on with it.
|
I don't see any changes pushed since my last review. |
This commit makes it possible to enable multiple ssl backends for curl by setting any of the gnutls, libressl/openssl, mbedtls, nss, and winssl use flags. The behavior of CURL_SSL is slighly modified so that it sets the default ssl backend that curl uses rather than the only backend that it uses. This allows it to continue to be used on other ebuilds without users having to make any changes to their current use flag configuration. Signed-off-by: Tom Gillespie <tgbugs@gmail.com>
This allows testing when FEATURES=test is set explicitly. On amd64 all tests are passing for curl-7.71.1-r1.ebuild with multiple use flag combinations, so it seems to make sense to make it possible to run tests without having to modify the ebuild. Signed-off-by: Tom Gillespie <tgbugs@gmail.com>
|
I have implemented @mgorny 's suggestion to simplify things by just using the regular use flags. This leaves the behavior of CURL_SSL in place but now it only applies to the default. This should minimize disruption of other ebuilds while we resolve the question of what to do with CURL_SSL. It seems like there needs to be something like CURL_SSL in order to set the default (ala PYTHON_SINGLE_TARGET ??), but not in the very restrictive way that it is used throughout the tree at the moment. As a result all the changes related to CURL_DEFAULT_SSL have been removed (thankfully). |
|
I suppose you need to update/clone some profile-specific masks for the new flags. |
|
Yes you're right. The winssl needs to be masked. Will do a review of those and add the fixes. |
Signed-off-by: Tom Gillespie <tgbugs@gmail.com>
Signed-off-by: Tom Gillespie <tgbugs@gmail.com>
Pull request CI reportReport generated at: 2020-08-02 01:07 UTC New issues caused by PR: There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
|
Okay, looks like this is ready to be committed. I'll do some testing and then commit. |
|
Okay, I had to drop ~riscv because of dependency problems. Other than that, this is good and I pushed it. |
Makes it possible to enable multiple
CURL_SSLoptions.It also adds the
CURL_DEFAULT_SSLprefix to set the default sslimplementation when multiple implementations are enabled.
There is at least one other package affected by this
dev-python/pycurland I suspect that there are others, and that the CI report will show this.I am marking this as a draft since there is at least one known issue and because I am not sure that my approach with the
CURL_DEFAULT_SSLuse expand option is the best approach.Related to: https://bugs.gentoo.org/674706
@thesamesam
@jer-gentoo
@blueness