Accepting request 1035938 from home:luc14n0:branches:devel:libraries:c_c++

Add 1.50.0 as the minimum libnghttp2 build requirement version as a bandaid. Curl's 7.86.0 release introduces the use of nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, introduced by nghttp2 1.50.0 release, without introducing a check for the function/right version in their build scripts. OBS-URL: https://build.opensuse.org/request/show/1035938 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=323
2022-11-16 08:43:02 +00:00 · 2022-11-16 08:43:02 +00:00 · ad1aae2453
commit ad1aae2453
parent abfeb2c0ec
2 changed files with 27 additions and 1 deletions
--- a/curl.changes
+++ b/curl.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed Nov 16 03:09:27 UTC 2022 - Luciano Santos <luc14n0@opensuse.org>
+
+- Add 1.50.0 as the minimum libnghttp2 build requirement version as
+  a bandaid. Curl's 7.86.0 release introduces the use of
+  nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
+  introduced by nghttp2 1.50.0 release, without introducing a check
+  for the function/right version in their build scripts. This will
+  make Zypper/cURL unusable in some corner cases where users
+  installing something that requires libcurl4 before doing full
+  system upgrade, thus updating the cURL stack, but not
+  libnghttp2's. Background: boo#1204983, Factory mailing list
+  threadd:
+  "? broken dependency in curl and/or *zyp* ?", and forums thread:
+  Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.
+
 -------------------------------------------------------------------
 Wed Oct 26 07:51:51 UTC 2022 - Pedro Monreal <pmonreal@suse.com>

--- a/curl.spec
+++ b/curl.spec
@ -46,7 +46,17 @@ BuildRequires:  pkgconfig(libbrotlidec)
 BuildRequires:  pkgconfig(libidn2)
 # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922]
 # BuildRequires:  pkgconfig(libmetalink)
-BuildRequires:  pkgconfig(libnghttp2)
+#
+# The 7.86.0 cURL release introduced the use of
+# nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
+# a function introduced by the 1.50.0 nghttp2 release.
+#
+# This is a bandaid, as cURL didn't provide a function/version check
+# in their build scripts. Without this some users my end up with a broken
+# Zypper/cURL if they have a libnghttp2 < 1.50.0 yet in their system,
+# and do some Zypper transaction that updates cURL, but not libnghttp2.
+#
+BuildRequires:  pkgconfig(libnghttp2) >= 1.50.0
 BuildRequires:  pkgconfig(libpsl)
 BuildRequires:  pkgconfig(libssh)
 BuildRequires:  pkgconfig(libzstd)