Your message dated Thu, 04 Jun 2026 03:05:41 +0000
with message-id <[email protected]>
and subject line Bug#1020780: fixed in curl 8.21.0~rc1-1+exp1
has caused the Debian Bug report #1020780,
regarding libcurl3-gnutls: should provide an ABI compatible with upstream
libcurl-gnutls.so.4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1020780: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020780
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libcurl3-gnutls
Version: 7.85.0-1
Severity: normal
libcurl3-gnutls announces its SONAME as libcurl-gnutls.so.4, the same
as upstream libcurl, but its symbols are versioned as CURL_GNUTLS_3,
not the same as upstream libcurl (where they would be CURL_GNUTLS_4).
This is contrary to the usual design principle that SONAMEs and versioned
symbols should be managed by upstream projects (with assistance from
downstreams where it becomes necessary), and broadly compatible between
dissimilar downstream distributions.
This breaks the following scenarios, which can never be entirely
guaranteed to work but in practice do work for most other libraries,
like for example GTK or SDL:
* compile a relocatable binary against Debian's libcurl4-gnutls-dev
* attempt to run it against an equal or newer version of upstream libcurl
that was built with versioned symbols and GNUTLS as SSL backend
* expected result: it runs successfully
* actual result: runtime linking fails because the binary is looking for
symbols like curl_global_init@CURL_GNUTLS_3, but upstream libcurl only
provides curl_global_init@CURL_GNUTLS_4
and conversely
* compile a relocatable binary against an upstream libcurl that was built
with versioned symbols and GNUTLS as SSL backend
* attempt to run it against an equal or newer version of Debian's
libcurl3-gnutls
* expected result: it runs successfully
* actual result: runtime linking fails because the binary is looking for
symbols like curl_global_init@CURL_GNUTLS_4, but Debian's libcurl only
provides curl_global_init@CURL_GNUTLS_3
This particularly affects LD_LIBRARY_PATH environments that are careful to
choose each library to be either the system copy or the locally-bundled
copy, whichever is newer, in order to avoid version conflicts (such as
Valve's Steam Runtime): on Debian systems, a newer system copy is
non-backwards-compatible with an older upstream libcurl, and conversely
a newer upstream libcurl is non-backwards-compatible with binaries built
against an older Debian derivative like the Steam Runtime.
The OpenSSL flavour of libcurl had an equivalent incompatibility between
about 2005 and 2018, but the Debian and upstream ABIs re-converged in
2018 during the switch from OpenSSL 1.0 to 1.1.
The NSS flavour of libcurl might have the same issue, but this is
mitigated by the fact that to the best of my knowledge, nobody else links
libcurl to NSS.
I think the ideal solution would go something like this:
* re-converge on upstream's ABI, with symbols like
curl_global_init@CURL_GNUTLS_4
* make those symbols the default implementation (sometimes seen written as
"curl_global_init@@CURL_GNUTLS_4" with a double @ sign), so that new
binaries linked against either upstream or downstream libcurl want to see
symbols like curl_global_init@CURL_GNUTLS_4 at runtime
* for backwards compatibility with older Debian, also export each symbol
that existed prior to this transition, as curl_global_init@CURL_GNUTLS_3
or similar, either as aliases for the upstream-compatible symbols or as
shims that pass on their arguments to the upstream-compatible symbols;
there is a finite (but large) number of such symbols
* make the ...@CURL_GNUTLS_3 symbols non-default (sometimes seen written as
"(curl_global_init@CURL_GNUTLS_3)" in parentheses), so that newly-linked
binaries do not expect to see these symbols
* ideally send the compatibility shims upstream so that after enough time
has passed, everyone's GNUTLS builds of libcurl end up implementing
both ABIs
This is probably too intrusive to do before Debian 12, since the freeze is
only a few months away, but it would be good to re-converge with upstream
at some point in future.
smcv
--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 8.21.0~rc1-1+exp1
Done: Samuel Henrique <[email protected]>
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Henrique <[email protected]> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 21:22:01 -0700
Source: curl
Architecture: source
Version: 8.21.0~rc1-1+exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Curl Maintainers <[email protected]>
Changed-By: Samuel Henrique <[email protected]>
Closes: 1020780 1138629
Changes:
curl (8.21.0~rc1-1+exp1) experimental; urgency=medium
.
* New upstream version 8.21.0~rc1
* d/p/event-fix-wakeup-consumption.patch: Drop patch applied upstream
* Refresh patches:
- Implement-symbol-versioning-for-CURL_GNUTLS_3.patch
- ZZZgnutls-build.patch
- build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch
.
curl (8.20.0-5) unstable; urgency=medium
.
* d/control: Mark libcurl3t64-gnutls as Arch: any, M-A: same.
Thanks to Simon McVittie <[email protected]> (Closes: #1138629)
.
curl (8.20.0-4) unstable; urgency=medium
.
* d/p/Implement-symbol-versioning-for-CURL_GNUTLS_3.patch:
Adjust to disable checksrc's LONGLINE check (and fix autopkgtest).
.
curl (8.20.0-3) unstable; urgency=medium
.
* d/p/ZZZgnutls-build.patch: Use same SO version for both libraries.
* d/libgnutls3t64-gnutls.symbols: s/CURL_GNUTLS_3/CURL_GNUTLS_4/.
* d/p/Implement-symbol-versioning-for-CURL_GNUTLS_3.patch:
Implement symbol versioning for CURL_GNUTLS_3 symbols. (Closes: #1020780)
* d/control: New package libcurl4-gnutls.
Also turn libcurl3t64-gnutls into a transitional package that depends
on libcurl4-gnutls.
* d/libcurl3t64-gnutls*: Rename to d/libcurl4-gnutls*.
* d/libcurl4-gnutls.symbols: Add CURL_GNUTLS_3 symbols.
* d/rules: Adjust install-curl recipe to use libcurl4-gnutls.
* d/libcurl4-gnutls.symbols: Fix version on all libcurl4-gnutls symbols.
We have to mark all symbols as having been introduced by the latest
Debian release of the package. This is necessary because we want
future programs to link against this version specifically, not
previous libcurl3t64-gnutls versions.
* d/libcurl4-gnutls.lintian-overrides: Adjust for new package name.
* d/copyright: Update file.
Checksums-Sha1:
6e2991669cc163d3cadda4be784d5639a20b5374 3427 curl_8.21.0~rc1-1+exp1.dsc
4ebc7e4ff639528459572a687045de0999594d86 2870324 curl_8.21.0~rc1.orig.tar.xz
25c1f8d730c021b6ba36ddc03065e2dbbc856eb4 488 curl_8.21.0~rc1.orig.tar.xz.asc
3454ecb96cb4b6031e303977aa39cedc84fc637f 64232
curl_8.21.0~rc1-1+exp1.debian.tar.xz
c58d114434a12773310638a9310ba85af271694b 12176
curl_8.21.0~rc1-1+exp1_amd64.buildinfo
Checksums-Sha256:
15e978a0687474c21bdd9775031a4bdbd04a72c3495a6d565aa87a5d59e5791d 3427
curl_8.21.0~rc1-1+exp1.dsc
b49e856e3876e209f4b4f4cb68faf50bcc887a3bd5281ed34ec6f21ccef1c37a 2870324
curl_8.21.0~rc1.orig.tar.xz
0f8daba52636a3562ef6799139e2aa28f8eb964f4633cd4a1dfd4c726cd5a365 488
curl_8.21.0~rc1.orig.tar.xz.asc
0a4ad86452f13fcd808ae5ae597dc313ac3f08b617c2db7ab5bbcf72157aaee0 64232
curl_8.21.0~rc1-1+exp1.debian.tar.xz
8159cc67e011427fd50e4b49bbeb96b468c32799b06a594428f256196c2054b6 12176
curl_8.21.0~rc1-1+exp1_amd64.buildinfo
Files:
3bb97cc4154b1318ae3484e62ef23557 3427 web optional curl_8.21.0~rc1-1+exp1.dsc
836609f577bde27fa83208e9266ea551 2870324 web optional
curl_8.21.0~rc1.orig.tar.xz
28343bc172cf12c2307f525745303daa 488 web optional
curl_8.21.0~rc1.orig.tar.xz.asc
0bea5e4ab8c765e157433ffaed3bf84c 64232 web optional
curl_8.21.0~rc1-1+exp1.debian.tar.xz
5eaa90c98d2c5ef5f4fed55daa769731 12176 web optional
curl_8.21.0~rc1-1+exp1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmofrvwACgkQu6n6rcz7
Rwc35g//dK/4FkGkY4ZCdzBr5+81y80Jc7lCmEs7m1BrUfGoP6HpxWByou9T0OL2
xfv02/pZgfyJ0AyV1Qn/nh2ByTAWC7YsVwMhIJ78p5/yQRa9rj52I63hrhWfzAZK
DoZolqmNHJy9F+NQ1L7KYYhwmlkR9z2p7gpOkubn7i2tZWNYLhs6Hpijf0WrK1iV
7jONaguv2gqe0NSDvqPLr0pQlEd1KwbeBYhfYSPRwyfwmYeSapk2Cy/J1gEEBhr4
MxnnHdnXxNrGUCIKDckYymUihHpmv9Bf5kp31beWbp+CM3ahtuaUNdpYxGmHkzEZ
WHGRxFgLPfPLEZU2mxsszS93DLuTLsBTcg6qWl50dH96zc4iR8+1bvcKkgj2uoNt
bJxVdoeALKm7h7WAT8NGchM9c00ghG+ZStV9Of9Yb8B0OpkfZaLOsHs7LsGZ6pI5
qJCI3RMgUHMNeni0Op3/PZ1/6Hu5CJTepJDL05uQL6OyO79OOVdJs2yi5aFcx3DG
7hiHgkCx++K1HA5FyaHezWzdIzd7YUppIcpXDTPDhJS5IV9z0mtM3SWMcAs/EEsG
3IeqqY/g5F0Ct7P5kFViaG6LBObg1y1oZhOFQKi9p8q6TNcO61DnfuhtQuFC3kw9
gApbwWcOcbnqGH2PzYlGzQ1jUl/9xM6wa9bTHMwjh1Z4CNeaJfc=
=mT3q
-----END PGP SIGNATURE-----
pgpvcr_zjmKXT.pgp
Description: PGP signature
--- End Message ---
