vcpkg icon indicating copy to clipboard operation
vcpkg copied to clipboard
verified publisher icon microsoft

[curl] Requesting [core,mbedtls] still builds and depends on openssl

Open genotrance opened this issue 1 year ago • 3 comments

Describe the bug ./vcpkg install curl[core,mbedtls]

Environment

  • OS: Tested on Alpine Linux musl
  • Compiler: gcc 9.3.0

To Reproduce Steps to reproduce the behavior:

  1. ./vcpkg install curl[core,mbedtls]

Expected behavior I expect to depend 100% on mbedtls and have no dependencies on openssl.

Failure logs

  • There is no failure, just that the openssl binaries are also built and required at runtime.

genotrance avatar Feb 12 '24 15:02 genotrance

This is not possible until something like https://github.com/microsoft/vcpkg/pull/22216 gets implemented since these feature are options and not additive

autoantwort avatar Feb 12 '24 17:02 autoantwort

Cannot reproduce.

$ ./vcpkg depend-info curl[core,mbedtls]
vcpkg-cmake: 
vcpkg-cmake-config: 
mbedtls: vcpkg-cmake, vcpkg-cmake-config
zlib: vcpkg-cmake
curl[mbedtls]: mbedtls, vcpkg-cmake, vcpkg-cmake-config, zlib

dg0yt avatar Feb 12 '24 17:02 dg0yt

My mistake - I reduced the feature list too much. The following works as expected:

./vcpkg install curl[core,mbedtls]

However, if you include http2, it drags in openssl.

 ./vcpkg install curl[core,http2,mbedtls] --recurse
Computing installation plan...
The following packages will be built and installed:
    curl[core,http2,mbedtls,openssl,ssl]:[email protected]
  * mbedtls:[email protected]
  * nghttp2:[email protected]
  * openssl:[email protected]
  * zlib:[email protected]

I didn't see any feature options in the nghttp2 package.

genotrance avatar Feb 12 '24 18:02 genotrance

I didn't see any feature options in the nghttp2 package.

Yes, nghttp2 does not have any features.

jimwang118 avatar Feb 18 '24 07:02 jimwang118

I didn't see any feature options in the nghttp2 package.

Yes, nghttp2 does not have any features.

What does this mean to the original problem?
Why is this issue now in category:question now?

curl[http2] is declared to depend on curl[core,ssl] which selects the default SSL backend, curl[openssl] on linux. If possible, remove the dependency on curl[core,ssl]. It restricts choice of an alternative SSL backend.

dg0yt avatar Feb 18 '24 08:02 dg0yt

curl[http2] is declared to depend on curl[core,ssl] which selects the default SSL backend, curl[openssl] on linux. If possible, remove the dependency on curl[core,ssl]. It restricts choice of an alternative SSL backend.

Can curl[http2] delete the dependent feature ssl?

jimwang118 avatar Feb 18 '24 09:02 jimwang118

Try!

dg0yt avatar Feb 18 '24 10:02 dg0yt

Try!

After removing the ssl dependency, there is no problem compiling and using. I will submit a PR to fix it.

jimwang118 avatar Feb 19 '24 02:02 jimwang118

The upstream explains that you need to rely on openssl when using http2, and we need to ensure the port's versatility. You can remove http2's dependence on ssl locally yourself. https://github.com/curl/curl/blob/d5b0fee39a7898dac42cb4fc64e35f5bc085e766/docs/HTTP2.md

jimwang118 avatar Feb 22 '24 08:02 jimwang118

The link is not clear but the following note from nghttp2's repo clarifies:

OpenSSL >= 1.1.1; or LibreSSL >= 3.8.1; or aws-lc >= 1.19.0; or BoringSSL

Doesn't look like nghttp2 even supports mbedtls right now.

I'm new to vcpkg and this was a surprise to me. Might be good to notify in some way but this can happen with any package with any dependency. It would require vcpkg to support all combinations of features for every package (libressl and wolfssl are already in vcpkg so you would want nghttp2 to have those as features) and track which features are alternatives and reduce redundancy.

Closing this this is not feasible for mbedtls specifically but the general issue still holds.

genotrance avatar Feb 22 '24 15:02 genotrance