Align libcurl with MSYS2 #76
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The MSYS2 project, from which Git for Windows' development environment
is derived, switched to building three flavors of libcurl a long time
ago: the OpenSSL flavor, the GNUTLS one, and the Secure Channel
("winssl") one.
To reduce maintenance burden, and also for the benefit that it will be
easier to upgrade OpenSSL from v1.1 to v3 in Git for Windows' SDK, let's
imitate that strategy.
Concretely, these are the changes that are made to align better with
MSYS2's build definition:
- The `pathtools.[ch]` files are copied directly, and kept in sync with
`mingw-w64-pathtools`' copies.
- Three flavors are built: mingw-w64-curl, mingw-w64-curl-gnutls and
mingw-w64-curl-winssl.
The following changes are Git for Windows-only and intentionally deviate
from MSYS2:
- We do not build static versions of libcurl.
- We still build `-pdb` packages.
- The `ca-bundle.crt` file needs to be found even if the DLL is in Git's
`libexec/` directory.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Here, we introduce the concept of an "alternate" libcurl: by having a SSL/TLS backend-specific DLL name, these variations of libcurl can be installed side by side. That allows programs that load libcurl dynamically to choose at runtime which SSL/TLS backend to use, even if the default `libcurl-4.dll` does not provide that particular backend. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Git for Windows is currently blocked from upgrading OpenSSL v3.x because the `git clone` command (essential in pretty all of Git for Windows' automation) depends on libcurl, which in turn currently depends on OpenSSL, and therefore all of that would be broken after said upgrade because that would change the file name of the OpenSSL library. To unblock that upgrade, I devised the following plan: 1. Teach Git to load libcurl dynamically, optionally looking for a different file name depending on the `http.sslBackend` setting. 2. Build multiple variants of mingw-w64-curl, just like MSYS2 does, for different SSL/TLS backends. This has the additional benefit of better aligning Git for Windows with MSYS2. 3. Switch Git for Windows' SDKs to use the Secure Channel-only variant by default. There are benefits to that, too: For example, allowing `git clone` to fetch from hosts with self-signed certificates do not require `ca-bundle.crt` stunts when using Secure Channel, instead simply adding an exception when browsing the site with the web browser already does the trick. This switch is done by (temporarily) overriding the `mingw-w64-curl` package using Pacman's `replaces` directive. 4. Release Git for Windows v2.41.0 with this setup. 5. After a grace period allowing for a quick bug fix release (if needed), upgrade Git for Windows' SDKs to OpenSSL v3.*. 6. Remove the override (`replaces`) because it is no longer needed. This commit implements step 3. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
We just modified the way `mingw-w64-curl` is built, and extended the number of variants, and put in a temporary switch to a different package. In preparation for deploying all this, let's increment the package version accordingly. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
/deploy mingw-w64-curl The i686/x86_64 and the arm64 workflow runs were started. |
|
/add release note feature To help with Git for Windows' release mechanics, Git for Windows now ships with two variants of The workflow run was started |
dscho
added a commit
to dscho/build-extra
that referenced
this pull request
May 15, 2023
As of git-for-windows/MINGW-packages#76, Git for Windows wants to ship with _two_ libcurl variants: one that includes the Secure Channel backend to talk https://, and another one that includes the OpenSSL backend instead. Therefore, the `make-file-list` script that is used by Git for Windows' automation to list the files required for the various release assets needs to be adjusted, too. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
dscho
added a commit
to dscho/build-extra
that referenced
this pull request
May 15, 2023
Since git-for-windows/MINGW-packages#76, Git for Windows' SDKs no longer install the `mingw-w64-curl` package but instead the `mingw-w64-curl-winssl` package. As a consequence, we now have to include the PDBs for that package, too. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
dscho
added a commit
to dscho/build-extra
that referenced
this pull request
May 15, 2023
In line with git-for-windows/MINGW-packages#76, the default SSL/TLS backend is now the Secure Channel one. Let's reflect that in the installer. This makes Git for Windows' maintenance easier (see git-for-windows/git#4350 for a fuller explanation). But it has further benefits: the Secure Channel backend is the "more native" choice on Windows, as it integrates better with Windows. For example, when trusting a host with a self-signed certificate in a web browser, that trust extends to Secure Channel. With the OpenSSL backend, users had to jump through manual hoops to get `git clone <url>` to trust a host with a self-signed certificate. Note: The installer will _still_ pick up previous choices when upgrading from an earlier Git for Windows version. Only fresh installs without any current Git for Windows installations will receive the new default. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Years ago, I taught libcurl the trick to include multiple SSL/TLS backends, and then I taught Git for Windows to have a run-time option to choose between those. This allowed users relying on OpenSSL (e.g. because they read somewhere on the internet that you need OpenSSL to be able to access Git repositories on hosts with self-signed certificates) but also offering to rely on Secure Channel to handle https:// URLs.
However, this now comes back to bite me.
As per git-for-windows/git#4350 (comment), the major block for upgrading Git for Windows' OpenSSL from v1.1 to v3 is the tricky part where such an upgrade would break
git fetch/git cloneandgit pushbecause the libcurl depends on the OpenSSL DLL, and the major version bump will change the file name of said DLL.To overcome that, the plan is to build libcurl flavors for each supported SSL/TLS backend, aligning with the way MSYS2 builds libcurl, then switch Git for Windows' SDK to the Secure Channel-flavored libcurl, and teach Git to look for the specific flavor of libcurl corresponding to the
http.sslBackendsetting (if that was configured).git-for-windows/git#4410 teaches Git that trick, and this here PR changes the package definition so that those libcurl flavors are built.
To make full use of the feature implemented in git-for-windows/git#4410, with this PR we also build "alternate" packages (e.g.
mingw-w64-libcurl-openssl-alternate) that have the same dependencies as the regularmingw-w64-libcurlpackages, but do not conflict with them and only install the DLL with a name thatgit.exewill now look for.