On Mon, Sep 27, 2021, 6:36 AM Tom Pollard [off-list ref]
wrote:

Hi Richard,

On 25/09/2021 22:43, Richard Purdie wrote:

quoted

On Fri, 2021-09-24 at 17:00 +0100, Tom Pollard wrote:

quoted

curl 7.77.0 made the tls backend configuration explicit. openssl
is now a specific option replacing the default `--with-ssl`, and
`--without-ssl` is required to build without any tls, overriding any
other tls config. Adding 'without-ssl` as a mutually exclusive
option against the existing tls options should prevent users
silently disabling other enabled tls backends.

https://curl.se/changes.html#7_77_0

Signed-off-by: Tom Pollard <redacted>
---
 meta/recipes-support/curl/curl_7.78.0.bb | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-support/curl/curl_7.78.0.bb

b/meta/recipes-support/curl/curl_7.78.0.bb

quoted

quoted

index dece0babb2..315755c9b1 100644

--- a/meta/recipes-support/curl/curl_7.78.0.bb
+++ b/meta/recipes-support/curl/curl_7.78.0.bb

@@ -20,16 +20,17 @@ CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl

curl:libcurl libcurl:libcurl dan

quoted

quoted

 inherit autotools pkgconfig binconfig multilib_header

-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}

ssl libidn proxy threaded-resolver verbose zlib"

quoted

quoted

-PACKAGECONFIG:class-native = "ipv6 proxy ssl threaded-resolver verbose

zlib"

quoted

quoted

-PACKAGECONFIG:class-nativesdk = "ipv6 proxy ssl threaded-resolver

verbose zlib"

quoted

quoted

+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}

openssl libidn proxy threaded-resolver verbose zlib"

quoted

quoted

+PACKAGECONFIG:class-native = "ipv6 proxy openssl threaded-resolver

verbose zlib"

quoted

quoted

+PACKAGECONFIG:class-nativesdk = "ipv6 proxy openssl threaded-resolver

verbose zlib"

quoted

quoted

 # 'ares' and 'threaded-resolver' are mutually exclusive
+# 'without-ssl' explicitly disables tls, silently overriding other tls

config and is required if no backend(s) are configured

quoted

quoted

 PACKAGECONFIG[ares] =

"--enable-ares,--disable-ares,c-ares,,,threaded-resolver"

quoted

quoted

 PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli"
 PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual"
 PACKAGECONFIG[dict] = "--enable-dict,--disable-dict,"
-PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls"
+PACKAGECONFIG[gnutls] =

"--with-gnutls,--without-gnutls,gnutls,,,without-ssl"

quoted

quoted

 PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher,"
 PACKAGECONFIG[imap] = "--enable-imap,--disable-imap,"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"

@@ -39,7 +40,7 @@ PACKAGECONFIG[ldaps] =

"--enable-ldaps,--disable-ldaps,"

quoted

quoted

 PACKAGECONFIG[libgsasl] = "--with-libgsasl,--without-libgsasl,libgsasl"
 PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2"
 PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2"
-PACKAGECONFIG[mbedtls] =

"--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls"

quoted

quoted

+PACKAGECONFIG[mbedtls] =

"--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls,,,without-ssl"

quoted

quoted

 PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt,"
 PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2"
 PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3,"

@@ -48,12 +49,13 @@ PACKAGECONFIG[rtmpdump] =

"--with-librtmp,--without-librtmp,rtmpdump"

quoted

quoted

 PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp,"
 PACKAGECONFIG[smb] = "--enable-smb,--disable-smb,"
 PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp,"
-PACKAGECONFIG[ssl] = "--with-ssl

--with-random=/dev/urandom,--without-ssl,openssl"

quoted

quoted

-PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss"
+PACKAGECONFIG[openssl] = "--with-openssl

--with-random=/dev/urandom,,openssl,,,without-ssl"

quoted

quoted

+PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss,,,without-ssl"
 PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet,"
 PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp,"
 PACKAGECONFIG[threaded-resolver] =

"--enable-threaded-resolver,--disable-threaded-resolver,,,,ares"

quoted

quoted

 PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose"
+PACKAGECONFIG[without-ssl] = "--without-ssl,,,,,gnutls mbedtls openssl

nss"

quoted

quoted

 PACKAGECONFIG[zlib] =

"--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"

quoted

quoted

 EXTRA_OECONF = " \

I think this change breaks mingw:

https://autobuilder.yoctoproject.org/typhoon/#/builders/89/builds/4055

It looks like the append in meta-mingw will need updating to align with
the changing the 'ssl' package option to 'openssl' and additionally the
requirement of explicitly adding the 'without-ssl' option to achieve the
old behavior:


http://git.yoctoproject.org/cgit.cgi/meta-mingw/tree/recipes-support/curl/curl_%25.bbappend

How would I go about synchronizing the change? I guess this also
highlights that it could be a breaking change to other meta layers that
append curl.

Submit the patch to meta-mingw; now that Richard and I know to look for it
we will make sure it is synchronized

Enforcing the mutual exclusivity of the `without-ssl` option is also
something that be considered to deem if it is necessary,  or should it
be left to the integrator to understand the change in behavior if the
option is selected whilst other ssl options are also included.

Regards,

Tom

quoted

Cheers,

Richard




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156357):

https://lists.openembedded.org/g/openembedded-core/message/156357

quoted

Mute This Topic: https://lists.openembedded.org/mt/85842512/2167528
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [

tom.pollard@codethink.co.uk]

quoted

-=-=-=-=-=-=-=-=-=-=-=-

--
https://www.codethink.co.uk/privacy.html