Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use vendored-openssl feature with lychee package #12914

Closed
wants to merge 1 commit into from
Closed

use vendored-openssl feature with lychee package #12914

wants to merge 1 commit into from

Conversation

kranurag7
Copy link
Member

vendored-openssl compiles and statically links a copy of OpenSSL. (from lychee docs)
Ref: https://github.com/lycheeverse/lychee/blob/13f4339710d76831d9daf961584d796cee4847d2/.github/workflows/release.yml#L70

For static linking. I copied the lychee binary in a multistage pipeline and got the following error.

lychee: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory

this commit updates the package so that we get a statically linked binary.

Fixes:

Related:

Pre-review Checklist

For new package PRs only

  • This PR is marked as fixing a pre-existing package request bug
    • Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
  • REQUIRED - The package is available under an OSI-approved or FSF-approved license
  • REQUIRED - The version of the package is still receiving security updates
  • This PR links to the upstream project's support policy (e.g. endoflife.date)

For new version streams

  • The upstream project actually supports multiple concurrent versions.
  • Any subpackages include the version string in their package name (e.g. name: ${{package.name}}-compat)
  • The package (and subpackages) provides: logical unversioned forms of the package (e.g. nodejs, nodejs-lts)

For security-related PRs

  • The security fix is recorded in the advisories repo

For version bump PRs

  • The epoch field is reset to 0

For PRs that add patches

  • Patch source is documented

@kranurag7
use vendored-openssl feature with lychee package
5928860 
Signed-off-by: kranurag7 <81210977+kranurag7@users.noreply.github.com>
@rawlingsj
Copy link
Member

If I understand this correctly this would mean lychee would use it's own copy of openssl? If there is a vulnerability in openssl then in wolfi we'd ensure that package is updated as fast as a remediation is available, though lychee would then not benefit from that and still be vulnerable.

Can you install openssl in your multi-stage Dockerfile to resolve the original issue you are seeing?

@kranurag7
Copy link
Member Author

James, thanks for the review. I think it's not possible to have a static executable for lychee as of now.

I tried adding openssl but that didn't work.
I falled back to using curl for fetching the binary inside the image.

A more detailed overview is here lycheeverse/lychee#1376

closing this one and I'll open a PR in the future probably when it's possible.

@kranurag7 kranurag7 closed this Feb 13, 2024
@kranurag7 kranurag7 deleted the kr/use-vendored-openssl branch February 13, 2024 17:30
@kranurag7 kranurag7 mentioned this pull request Jul 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kranurag7 @rawlingsj