os icon indicating copy to clipboard operation
os copied to clipboard
verified publisher icon wolfi-dev

feat(curl): Replace curl-static with static binary

Open SamD2021 opened this issue 2 months ago • 2 comments

Fixes: https://github.com/chainguard-dev/image-requests/issues/7091

Related:

Pre-review Checklist

For new package PRs only

  • [ ] This PR is marked as fixing a pre-existing package request bug
    • [ ] Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
  • [ ] REQUIRED - The package is available under an OSI-approved or FSF-approved license
  • [ ] REQUIRED - The version of the package is still receiving security updates
  • [ ] This PR links to the upstream project's support policy (e.g. endoflife.date)

For new version streams

  • [ ] The upstream project actually supports multiple concurrent versions.
  • [ ] Any subpackages include the version string in their package name (e.g. name: ${{package.name}}-compat)
  • [ ] The package (and subpackages) provides: logical unversioned forms of the package (e.g. nodejs, nodejs-lts)
  • [ ] If non-streamed package names no longer built, open PR to withdraw them (see WITHDRAWING PACKAGES)

For package updates (renames) in the base images

When updating packages part of base images (i.e. cgr.dev/chainguard/wolfi-base or ghcr.io/wolfi-dev/sdk)

  • [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk images successfully build
  • [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk contain no obsolete (no longer built) packages
  • [ ] Upon launch, does apk upgrade --latest successfully upgrades packages or performs no actions

For security-related PRs

  • [ ] The security fix is recorded in the advisories repo

CVE Scanning: This PR will fail if ANY CVEs are found (fail-any mode). To customize:

  • Must-fix specific CVEs only: Add <!--ci-cve-scan:must-fix: CVE-ID--> markers and remove the line below
  • Fail on any CVEs (default): Keep the marker below
<!--ci-cve-scan:fail-any-->

For version bump PRs

  • [ ] The epoch field is reset to 0

For PRs that add patches

  • [ ] Patch source is documented

SamD2021 avatar Nov 06 '25 21:11 SamD2021

This might evade scanners as they will no longer report vulnerabilities for shared libraries.

This might work if the ELF note metadata from all the shared libraries is included in the final static binary.

xnox avatar Nov 06 '25 21:11 xnox

⚙️ Build Failed: Configuration

configure: error: --with-gssapi was specified, but a GSS-API library was not found.

Build Details

Category Details
Build System autotools
Failure Point configure script execution during curl-static subpackage build

Root Cause Analysis 🔍

The configure script cannot find the GSS-API library despite the --with-gssapi flag being specified. The library detection failed even though GSS-API headers were found (gssapi/gssapi.h, gssapi/gssapi_generic.h, gssapi/gssapi_krb5.h), and MIT Kerberos version 1.22.1 was detected. This suggests that while the headers are present, the actual library files or linking configuration is missing or incompatible with the static linking requirements (LDFLAGS="-static").

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: curl.yaml

  • addition at line around line 30 (environment.contents.packages) Original: 
      - krb5-dev
      - krb5-static

Replacement:

      - krb5-dev
      - krb5-static
      - mit-krb5-static

Content:

Add krb5-static package dependency
  • modification at line around line 75-85 (curl-static subpackage configure opts) Original: 
LIBS="-lbrotlidec -lbrotlicommon -lnghttp2 -lpsl -lidn2 -lunistring -lssl -lcrypto -ljitterentropy -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lkeyutils -lz -lresolv"

Replacement:

LIBS="-lbrotlidec -lbrotlicommon -lnghttp2 -lpsl -lidn2 -lunistring -lssl -lcrypto -ljitterentropy -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lkeyutils -lresolv -ldl -lpthread"

Content:

Update LIBS to include proper static library linking order for GSS-API
  • modification at line around line 90 (curl-static subpackage make opts) Original: 
opts: CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_ENGINE -D_GNU_SOURCE" LDFLAGS="-static -all-static" LIBS="-lbrotlidec -lbrotlicommon -lnghttp2 -lpsl -lidn2 -lunistring -lssl -lcrypto -ljitterentropy -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lkeyutils -lz -lresolv"

Replacement:

opts: CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_ENGINE -D_GNU_SOURCE" LDFLAGS="-static -all-static" LIBS="-lbrotlidec -lbrotlicommon -lnghttp2 -lpsl -lidn2 -lunistring -lssl -lcrypto -ljitterentropy -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lkeyutils -lresolv -ldl -lpthread"

Content:

Update make LIBS to match configure LIBS
Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, the error indicates that while GSS-API headers are found, the actual library files or linking configuration is missing for static linking. The issue occurs specifically in the curl-static subpackage where LDFLAGS="-static" is used, suggesting that the static GSS-API libraries may not be available or properly linked.

Click to expand fix explanation

Explanation

The build failure occurs because the configure script cannot find the GSS-API library for static linking, even though headers are present. This is a common issue with static linking where additional system libraries and proper linking order are required. The fix addresses this by: 1) Adding -ldl and -lpthread to LIBS, which are commonly required for static linking with GSS-API/Kerberos libraries as they depend on dynamic loading and threading functionality, 2) Ensuring the mit-krb5-static package is available (though krb5-static should provide this), 3) Maintaining consistent LIBS between configure and make steps. The additional libraries (-ldl for dynamic loading, -lpthread for threading) are essential for static linking with Kerberos/GSS-API libraries that internally use these system services.

Click to expand alternative approaches

Alternative Approaches

  • Disable GSS-API support entirely by removing --with-gssapi and --enable-kerberos-auth flags from the curl-static subpackage configuration
  • Use pkg-config to automatically detect the correct static library dependencies for GSS-API: PKG_CONFIG='pkg-config --static'
  • Add explicit library path configuration: LDFLAGS='-static -L/usr/lib -L/usr/lib/mit-krb5'
  • Split the static build into two phases: first build shared libraries, then rebuild statically with proper dependency resolution

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

octo-sts[bot] avatar Nov 06 '25 21:11 octo-sts[bot]