Your message dated Sun, 31 May 2026 19:00:40 +0000
with message-id <[email protected]>
and subject line Bug#1020780: fixed in curl 8.20.0-3
has caused the Debian Bug report #1020780,
regarding libcurl3-gnutls: should provide an ABI compatible with upstream
libcurl-gnutls.so.4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1020780: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020780
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libcurl3-gnutls
Version: 7.85.0-1
Severity: normal
libcurl3-gnutls announces its SONAME as libcurl-gnutls.so.4, the same
as upstream libcurl, but its symbols are versioned as CURL_GNUTLS_3,
not the same as upstream libcurl (where they would be CURL_GNUTLS_4).
This is contrary to the usual design principle that SONAMEs and versioned
symbols should be managed by upstream projects (with assistance from
downstreams where it becomes necessary), and broadly compatible between
dissimilar downstream distributions.
This breaks the following scenarios, which can never be entirely
guaranteed to work but in practice do work for most other libraries,
like for example GTK or SDL:
* compile a relocatable binary against Debian's libcurl4-gnutls-dev
* attempt to run it against an equal or newer version of upstream libcurl
that was built with versioned symbols and GNUTLS as SSL backend
* expected result: it runs successfully
* actual result: runtime linking fails because the binary is looking for
symbols like curl_global_init@CURL_GNUTLS_3, but upstream libcurl only
provides curl_global_init@CURL_GNUTLS_4
and conversely
* compile a relocatable binary against an upstream libcurl that was built
with versioned symbols and GNUTLS as SSL backend
* attempt to run it against an equal or newer version of Debian's
libcurl3-gnutls
* expected result: it runs successfully
* actual result: runtime linking fails because the binary is looking for
symbols like curl_global_init@CURL_GNUTLS_4, but Debian's libcurl only
provides curl_global_init@CURL_GNUTLS_3
This particularly affects LD_LIBRARY_PATH environments that are careful to
choose each library to be either the system copy or the locally-bundled
copy, whichever is newer, in order to avoid version conflicts (such as
Valve's Steam Runtime): on Debian systems, a newer system copy is
non-backwards-compatible with an older upstream libcurl, and conversely
a newer upstream libcurl is non-backwards-compatible with binaries built
against an older Debian derivative like the Steam Runtime.
The OpenSSL flavour of libcurl had an equivalent incompatibility between
about 2005 and 2018, but the Debian and upstream ABIs re-converged in
2018 during the switch from OpenSSL 1.0 to 1.1.
The NSS flavour of libcurl might have the same issue, but this is
mitigated by the fact that to the best of my knowledge, nobody else links
libcurl to NSS.
I think the ideal solution would go something like this:
* re-converge on upstream's ABI, with symbols like
curl_global_init@CURL_GNUTLS_4
* make those symbols the default implementation (sometimes seen written as
"curl_global_init@@CURL_GNUTLS_4" with a double @ sign), so that new
binaries linked against either upstream or downstream libcurl want to see
symbols like curl_global_init@CURL_GNUTLS_4 at runtime
* for backwards compatibility with older Debian, also export each symbol
that existed prior to this transition, as curl_global_init@CURL_GNUTLS_3
or similar, either as aliases for the upstream-compatible symbols or as
shims that pass on their arguments to the upstream-compatible symbols;
there is a finite (but large) number of such symbols
* make the ...@CURL_GNUTLS_3 symbols non-default (sometimes seen written as
"(curl_global_init@CURL_GNUTLS_3)" in parentheses), so that newly-linked
binaries do not expect to see these symbols
* ideally send the compatibility shims upstream so that after enough time
has passed, everyone's GNUTLS builds of libcurl end up implementing
both ABIs
This is probably too intrusive to do before Debian 12, since the freeze is
only a few months away, but it would be good to re-converge with upstream
at some point in future.
smcv
--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 8.20.0-3
Done: Sergio Durigan Junior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergio Durigan Junior <[email protected]> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 May 2026 17:19:53 -0400
Source: curl
Binary: curl curl-dbgsym libcurl3t64-gnutls libcurl4-doc libcurl4-gnutls
libcurl4-gnutls-dbgsym libcurl4-gnutls-dev libcurl4-openssl-dev libcurl4t64
libcurl4t64-dbgsym
Architecture: source amd64 all
Version: 8.20.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Curl Maintainers <[email protected]>
Changed-By: Sergio Durigan Junior <[email protected]>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3t64-gnutls - transitional package for libcurl4-gnutls
libcurl4-doc - documentation for libcurl
libcurl4-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS
flavour)
libcurl4-openssl-dev - development files and documentation for libcurl
(OpenSSL flavour)
libcurl4t64 - easy-to-use client-side URL transfer library (OpenSSL flavour)
Closes: 1020780
Changes:
curl (8.20.0-3) unstable; urgency=medium
.
* d/p/ZZZgnutls-build.patch: Use same SO version for both libraries.
* d/libgnutls3t64-gnutls.symbols: s/CURL_GNUTLS_3/CURL_GNUTLS_4/.
* d/p/Implement-symbol-versioning-for-CURL_GNUTLS_3.patch:
Implement symbol versioning for CURL_GNUTLS_3 symbols. (Closes: #1020780)
* d/control: New package libcurl4-gnutls.
Also turn libcurl3t64-gnutls into a transitional package that depends
on libcurl4-gnutls.
* d/libcurl3t64-gnutls*: Rename to d/libcurl4-gnutls*.
* d/libcurl4-gnutls.symbols: Add CURL_GNUTLS_3 symbols.
* d/rules: Adjust install-curl recipe to use libcurl4-gnutls.
* d/libcurl4-gnutls.symbols: Fix version on all libcurl4-gnutls symbols.
We have to mark all symbols as having been introduced by the latest
Debian release of the package. This is necessary because we want
future programs to link against this version specifically, not
previous libcurl3t64-gnutls versions.
* d/libcurl4-gnutls.lintian-overrides: Adjust for new package name.
* d/copyright: Update file.
Checksums-Sha1:
454bbfcff34fc88c155f2a55b7e6d0b58a02a899 3363 curl_8.20.0-3.dsc
b8d1e3b2552a84f56eb3851c1700709b46530d1f 64164 curl_8.20.0-3.debian.tar.xz
81b9b4e818c39666875021520261e88307c20776 238000 curl-dbgsym_8.20.0-3_amd64.deb
1faed5a289601f8fa723afc0852bcdb419167293 11819 curl_8.20.0-3_amd64.buildinfo
35707f56b34822f048d5aa563bb998a7696f856a 279640 curl_8.20.0-3_amd64.deb
f205e068ee40e4b03763577b7285962f64b14ae2 16544
libcurl3t64-gnutls_8.20.0-3_all.deb
bdd1b18ba47956d760011d776f5363ae0def0256 909604 libcurl4-doc_8.20.0-3_all.deb
242ef72df9b61c4ab5da9cd6b09b443e9e182fab 1414684
libcurl4-gnutls-dbgsym_8.20.0-3_amd64.deb
3569cbb251a3e6109d64d4686de2cda28bd01a46 529632
libcurl4-gnutls-dev_8.20.0-3_amd64.deb
8ad64447477b79e54b1d6fdbe3ec93b8ce1d32ad 404348
libcurl4-gnutls_8.20.0-3_amd64.deb
12b430428f7cf5a49facecba0d76e17de8e5b658 534048
libcurl4-openssl-dev_8.20.0-3_amd64.deb
1ea166f82221ecfdb13b196e81eb16bcd85ab8ef 1423116
libcurl4t64-dbgsym_8.20.0-3_amd64.deb
7dd77f22aaf3f2ba75c006ac67d6cb891c754828 409552 libcurl4t64_8.20.0-3_amd64.deb
Checksums-Sha256:
31d5fb7872317c16239c9ea20cc09dcb09c6b838de479b985ce912fdadbcd327 3363
curl_8.20.0-3.dsc
332209aad4f25a5d2372e2b19582bf4fa023bbcfda1cfe4f8f830ee51a86476c 64164
curl_8.20.0-3.debian.tar.xz
c69e26bbef341d96a414b977b5d41268a322e0812bb2b06064220c0fce27acbb 238000
curl-dbgsym_8.20.0-3_amd64.deb
074066764b9f39b603d08fe9a1d367aa12eef04f3d10bab9aeb0227d8f26fc49 11819
curl_8.20.0-3_amd64.buildinfo
3cb2cbd7e6b65b85e1da3d063b8f4e48ae07d47b9340b17321e02f15cb5d0ef8 279640
curl_8.20.0-3_amd64.deb
ecfe55f319bceb18a9252a6bfe682ebacf911675b1056138d4a28b5394b0e77b 16544
libcurl3t64-gnutls_8.20.0-3_all.deb
393c3781896731820b285524fdcefaf774bff58fec09731e97d2ff41eea9424a 909604
libcurl4-doc_8.20.0-3_all.deb
154af6fd50eb113c01d003b3a4a11c395e13259526b6257a83165caee41f22da 1414684
libcurl4-gnutls-dbgsym_8.20.0-3_amd64.deb
f028adb76633eb1820a07dbf13ca38517b2f03daf1e2ad47a5019bdec2d32e5f 529632
libcurl4-gnutls-dev_8.20.0-3_amd64.deb
f695c180e0eba95247dc948420e8e0e3dda926db8e03ecf2aa8ca0e7e196715f 404348
libcurl4-gnutls_8.20.0-3_amd64.deb
ad143a56166a40eb280b780cdf13c00ac2d0873766e240aa4fdad3a52c7873a1 534048
libcurl4-openssl-dev_8.20.0-3_amd64.deb
8c01e477fb2a71c68549e7b73c2cd68e9cbb96da47fcae78c7374ae7e7643932 1423116
libcurl4t64-dbgsym_8.20.0-3_amd64.deb
9b730927969957f3fc5655cca1edc9455d9ef273b097fff00fb33f7e66d6a468 409552
libcurl4t64_8.20.0-3_amd64.deb
Files:
dbd5176efb148c2d83b09f8b3cf8d0a1 3363 web optional curl_8.20.0-3.dsc
83ced10ddfb7ec018dbcc98e5870bd33 64164 web optional curl_8.20.0-3.debian.tar.xz
53b64bd85445b555c5ebf8392cac4d19 238000 debug optional
curl-dbgsym_8.20.0-3_amd64.deb
7e97352cb564a3788ff215f243d9d56f 11819 web optional
curl_8.20.0-3_amd64.buildinfo
30a7bc1524a6296a5d1919d242b32c5e 279640 web optional curl_8.20.0-3_amd64.deb
3e9d9bc98b97db9b94814caf61432158 16544 oldlibs optional
libcurl3t64-gnutls_8.20.0-3_all.deb
c80adea9eed15c8a761b88c581cdc427 909604 doc optional
libcurl4-doc_8.20.0-3_all.deb
c1f6082b83b85d3c2f10f1465b2cb072 1414684 debug optional
libcurl4-gnutls-dbgsym_8.20.0-3_amd64.deb
2bc646db64c058e03e0dc833478c27ea 529632 libdevel optional
libcurl4-gnutls-dev_8.20.0-3_amd64.deb
6b350fc3358d9af275658765ec3490f5 404348 libs optional
libcurl4-gnutls_8.20.0-3_amd64.deb
9d5d83e30bef53d90d892c6212fdd63d 534048 libdevel optional
libcurl4-openssl-dev_8.20.0-3_amd64.deb
f72a564e5aeb6e0ff4329146006f5af9 1423116 debug optional
libcurl4t64-dbgsym_8.20.0-3_amd64.deb
12f8e6f409214488d0b5b8a7360f4ebf 409552 libs optional
libcurl4t64_8.20.0-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEI3pUsQKHKL8A7zH00Ot2KGX8XjYFAmoaBA0UHHNlcmdpb2Rq
QGRlYmlhbi5vcmcACgkQ0Ot2KGX8XjZ3zg//QYZKEr3pF0KgcSQHYHH64bf2yT8y
966F4nvku3FaiGsxMd893FfqgceO0fu1BvVHPOizNbfp5x6SeZsLOtURQTuCQu/K
qwEDR5EEyV8xbTy9ijQCdux9JjYFjhtdbMy0LCy2nEVE8JkTb4aNTs+OlIalxlzQ
B6ISDSjhnYCy6VU4mykhe1O34s8pTJCwXdNaHK3hgS1E9zrdc/yJVHlsp1KhqUc2
Gq4GZ2TQZ6OmYhezDh6Vd9Dq2ibVZc2rsX8uXujsds273LvevkoaSZgfEikfUy9x
SNL2bz7DTo5dhB0B9xPKdgGBnjdNQ/pnxTvJkIXl2+h+iqYRPcDZxTa6mJrQ1F9D
Wj7te8qzUgmvQO0UPWbF45tbOZ1R77IB621D48Oc22o9EF8L8md8kUBMHa+LFevl
Yw8aImCQPm2r2odKMisO+lVkRIQcOt3YDuR6xWh7ZnMvE8Z9qrAD3fkR9OdFpLV3
9miwfcA38MVi4OpjpqfeJVOU5vIdhIEJLe2+jmHr14Yg2q4I4KSe89rAlRIxbfsO
j416NmCtGQMZZVkr+VOjPyB0GnBWJqnCxGCzqTUFDDKEbHNxmUq4bDL1ud58PFBl
P/JI/ZEeADu7VWiPhJQ3tH80hbPB08wmoy99amORZjDsuL7pDqlu8OAJtAZoJQwM
cmIjbk9094jf7oU=
=l7Ls
-----END PGP SIGNATURE-----
pgpTqJIbVhWKd.pgp
Description: PGP signature
--- End Message ---
