No way to reliably opt out of statically linking libcurl · Issue #321 · alexcrichton/curl-rust (original) (raw)

Following up in a new issue since #316 was erroneously closed, and I cannot reopen it

Right now curl-rust will silently fall back to statically linking the bundled version of libcurl, even if static-curl feature is not enabled.

This present a security issue: if you have configured the build to dynamically link to libcurl, it is reasonable to assume that updating the system-wide libcurl is sufficient to mitigate any outstanding CVEs. But in reality curl-rust may have silently fallen back to a bundled libcurl, which is still vulnerable.

There needs to be a way to opt out of statically linked libcurl entirely, so that if shared libcurl is not present the compilation would fail.

Also, the behavior should be clear from feature names; right now the fact that removing static-curl feature does not actually disable static linking of the bundled version is a major footgun from the security standpoint.