net-misc/curl: Sync with Gentoo

It's from Gentoo commit 222904ab419f93feddbb6581ec812d4f747a1234.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>

sdk_container/src/third_party/portage-stable/net-misc/curl/Manifest

@@ -2,5 +2,5 @@ DIST curl-8.15.0.tar.xz 2773156 BLAKE2B ae809be87f34d079413129c27e618a6d15c2bf90
 DIST curl-8.15.0.tar.xz.asc 488 BLAKE2B 4b0bab065a1d2d5b7e5d49989bd4953344d844cafd3036b4cb2ed2dec82e59031832f05c06dc6a801e4668d92c936df74aeff7a5f2c15ff614da4b1673a67501 SHA512 b6aef1c6a1f32c60401494df565a748fa96c1d5098138772c22f6208bafeb8e61402f3077cbc274ea2c05f35ff376d8f736c58554520f8d20fded36d876499a5
 DIST curl-8.16.0.tar.xz 2788632 BLAKE2B 573d56779481abf0b7d20225bba4f068cb726f23f69ce10076438e32cc6c16d1229c211aee05fc5e3e9cb9d78bbfdc5da0d8b73e730c0865879000eb90accf6a SHA512 8262c3dc113cfd5744ef1b82dbccaa69448a9395ad5c094c22df5cf537a047a927d3332db2cb3be12a31a68a60d8d0fa8485b916e975eda36a4ebd860da4f621
 DIST curl-8.16.0.tar.xz.asc 488 BLAKE2B d213bd447c668118b49b7356dc99e710de927b93f81325802bae5e286b61481da6ed30f23c7f4f3cfb0f01222db88602ff4e510f4a1401e98511eb0c72ac6abb SHA512 591568e997c0d955a00152ce5bdfb4586d84b42f5c1e15df503514fb4eb4bf289a98b1ebdad23913119c67c27d51a6e6f4065ee6f7657b971c3a581c928a0d82
-DIST curl-8.17.0-rc1.tar.xz 2789224 BLAKE2B f741f2385666a5f5902c9137e49c8131680903b61b3d52d4d48ec385cb69a9135ed40cfba9ac7e1bf4e24fe70a03b81336f54ee1e9cb464c88cfa6fe1c5d24c4 SHA512 bbaa3c97860f51c069dfc448d212a0d2149abfe76429bd4e7e3b005f44851e609008b90f5ed5caad048b5815043433248b495c41edf04d4bb5b76a8af41ede02
+DIST curl-8.17.0.tar.xz 2797000 BLAKE2B a7a804afe058f323b40177bcb4ffc523decde92da3da0a051f2dc1b566131250a96afe1ebf2bebc071993c893bddeef883ef33ddc0a9bee86d4e54402a546fba SHA512 fc6349def40c3c259de2a568631507df17dff83e78a2edbb93f069586dce594439fdc88bef7ce2bed7491f35800b8c0c181c8c88e6ef656cc3c18f9834681eca
-DIST curl-8.17.0-rc1.tar.xz.asc 488 BLAKE2B 2e753849bdb0ab224953cf56d03e0dbfc69152ad36c0783db688e808ce46e290d0ddbc3d7ce86b9bb4ad7e13ca20107b02ec6227c4a0ffc14470a1c257f90d99 SHA512 e86f7c9000ee5e8ee775947e720a17cf327b1f3053d6a6d92d3d1d27ed8dacefe1934ce3ee67b1efd59a601e0312bcffd1fb0900b760fda15e0fe7ba1a892c8f
+DIST curl-8.17.0.tar.xz.asc 488 BLAKE2B 88b72cb9c0acd8a06956eca31047dfadfe110dc07290adbe50b9451a71d4282acaa05c8a149787d71cf13cf1b42e8df9594d0e8a2b1cadbfca5eb50550f32609 SHA512 e77d4cb1f4961aa0df3d76f1a8c55a0b9005ed557adf745f3ab24d33cee2d0e4bd06cecb9d911e76409852e7755129873cc7d24936c846ff1b854903c0f086b2

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.15.0.ebuild

@@ -101,7 +101,7 @@ REQUIRED_USE="
 # don't be afraid to require a later version.
 # ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
 RDEPEND="
-	>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
+	>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
 	adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
 	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
 	http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.16.0-r1.ebuild

@@ -22,7 +22,7 @@ else
 		S="${WORKDIR}/${P//_/-}"
 	else
 		CURL_URI="https://curl.se/download/"
-		KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+		KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 	fi
 	SRC_URI="
 		${CURL_URI}${P//_/-}.tar.xz
@@ -99,7 +99,7 @@ REQUIRED_USE="
 # don't be afraid to require a later version.
 # ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
 RDEPEND="
-	>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
+	>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
 	adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
 	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
 	http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.17.0-r1.ebuild

@@ -0,0 +1,445 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should subscribe to the 'curl-distros' ML for backports etc
+# https://daniel.haxx.se/blog/2024/03/25/curl-distro-report/
+# https://lists.haxx.se/listinfo/curl-distros
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/danielstenberg.asc
+inherit autotools multilib-minimal multiprocessing prefix toolchain-funcs verify-sig
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="https://curl.se/"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/curl/curl.git"
+else
+	if [[ ${P} == *rc* ]]; then
+		CURL_URI="https://curl.se/rc/"
+		S="${WORKDIR}/${P//_/-}"
+	else
+		CURL_URI="https://curl.se/download/"
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	fi
+	SRC_URI="
+		${CURL_URI}${P//_/-}.tar.xz
+		verify-sig? ( ${CURL_URI}${P//_/-}.tar.xz.asc )
+	"
+fi
+
+LICENSE="BSD curl ISC test? ( BSD-4 )"
+SLOT="0"
+IUSE="+adns +alt-svc brotli debug ech +ftp gnutls gopher +hsts +http2 +http3 +httpsrr idn +imap kerberos ldap"
+IUSE+=" mbedtls +openssl +pop3 +psl +quic rtmp rustls samba sasl-scram +smtp ssh ssl static-libs test"
+IUSE+=" telnet +tftp +websockets zstd"
+# These select the default tls implementation / which quic impl to use
+IUSE+=" +curl_quic_openssl curl_quic_ngtcp2 curl_ssl_gnutls curl_ssl_mbedtls +curl_ssl_openssl curl_ssl_rustls"
+RESTRICT="!test? ( test )"
+
+# HTTPS RR is technically usable with the threaded resolver, but it still uses c-ares to
+# ask for the HTTPS RR record type; if DoH is in use the HTTPS record will be requested
+# in addition to A and AAAA records.
+
+# To simplify dependency management in the ebuild we'll require c-ares for HTTPS RR (for now?).
+# HTTPS RR in cURL is a dependency for:
+# - ECH (requires patched openssl or gnutls currently, enabled with rustls)
+# - Fetching the ALPN list which should provide a better HTTP/3 experience.
+
+# Only one default ssl / quic provider can be enabled
+# The default provider needs its USE satisfied
+# HTTP/3 and MultiSSL are mutually exclusive; it's not clear if MultiSSL offers any benefit at all in the modern day.
+# https://github.com/curl/curl/commit/65ece771f4602107d9cdd339dff4b420280a2c2e
+REQUIRED_USE="
+	ech? ( rustls )
+	httpsrr? ( adns )
+	quic? (
+		^^ (
+			curl_quic_openssl
+			curl_quic_ngtcp2
+		)
+		http3
+		ssl
+	)
+	ssl? (
+		^^ (
+			curl_ssl_gnutls
+			curl_ssl_mbedtls
+			curl_ssl_openssl
+			curl_ssl_rustls
+		)
+	)
+	curl_quic_openssl? (
+		curl_ssl_openssl
+		!gnutls
+		!mbedtls
+		!rustls
+	)
+	curl_quic_ngtcp2? (
+		curl_ssl_gnutls
+		!mbedtls
+		!openssl
+		!rustls
+	)
+	curl_ssl_gnutls? ( gnutls )
+	curl_ssl_mbedtls? ( mbedtls )
+	curl_ssl_openssl? ( openssl )
+	curl_ssl_rustls? ( rustls )
+	http3? ( alt-svc httpsrr quic )
+"
+
+# cURL's docs and CI/CD are great resources for confirming supported versions
+# particulary for fast-moving targets like HTTP/2 and TCP/2 e.g.:
+# - https://github.com/curl/curl/blob/master/docs/INTERNALS.md (core dependencies + minimum versions)
+# - https://github.com/curl/curl/blob/master/docs/HTTP3.md (example of a feature that moves quickly)
+# - https://github.com/curl/curl/blob/master/.github/workflows/http3-linux.yml (CI/CD for TCP/2)
+# However 'supported' vs 'works' are two entirely different things; be sane but
+# don't be afraid to require a later version.
+# ngtcp2 = https://bugs.gentoo.org/912029 - can only build with one tls backend at a time.
+# TODO: OpenSSL-QUIC support is going to be removed in 2026; depend on ngtcp2[{gnutls,openssl}] before that point.
+# - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support)
+# - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com)
+RDEPEND="
+	>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
+	adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
+	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
+	http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )
+	http3? ( >=net-libs/nghttp3-1.1.0[${MULTILIB_USEDEP}] )
+	idn? ( >=net-dns/libidn2-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
+	kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+	ldap? ( >=net-nds/openldap-2.0.0:=[static-libs?,${MULTILIB_USEDEP}] )
+	psl? ( net-libs/libpsl[${MULTILIB_USEDEP}] )
+	quic? (
+		curl_quic_openssl? ( >=dev-libs/openssl-3.3.0:=[quic,${MULTILIB_USEDEP}] )
+		curl_quic_ngtcp2? ( >=net-libs/ngtcp2-1.2.0[gnutls,ssl,-openssl,${MULTILIB_USEDEP}] )
+	)
+	rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
+	ssh? ( >=net-libs/libssh2-1.2.8[${MULTILIB_USEDEP}] )
+	sasl-scram? ( >=net-misc/gsasl-2.2.0[static-libs?,${MULTILIB_USEDEP}] )
+	ssl? (
+		gnutls? (
+			app-misc/ca-certificates
+			>=net-libs/gnutls-3.1.10:=[static-libs?,${MULTILIB_USEDEP}]
+			dev-libs/nettle:=[${MULTILIB_USEDEP}]
+		)
+		mbedtls? (
+			app-misc/ca-certificates
+			net-libs/mbedtls:3=[${MULTILIB_USEDEP}]
+		)
+		openssl? (
+			>=dev-libs/openssl-1.0.2:=[static-libs?,${MULTILIB_USEDEP}]
+		)
+		rustls? (
+			>=net-libs/rustls-ffi-0.15.0:=[${MULTILIB_USEDEP}]
+		)
+	)
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
+"
+
+DEPEND="${RDEPEND}"
+
+BDEPEND="
+	dev-lang/perl
+	virtual/pkgconfig
+	test? (
+		sys-apps/diffutils
+		http2? ( >=net-libs/nghttp2-1.15.0:=[utils,${MULTILIB_USEDEP}] )
+		http3? ( net-libs/nghttp2:=[utils,${MULTILIB_USEDEP}] )
+	)
+	verify-sig? ( sec-keys/openpgp-keys-danielstenberg )
+"
+
+DOCS=( README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/curl/curlbuild.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/curl-config
+)
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+	__builtin_available
+	closesocket
+	CloseSocket
+	getpass_r
+	ioctlsocket
+	IoctlSocket
+	mach_absolute_time
+	setmode
+	_fseeki64
+	# custom AC_LINK_IFELSE code fails to link even without -Werror
+	OSSL_QUIC_client_method
+)
+
+PATCHES=(
+	"${FILESDIR}/${PN}-prefix-5.patch"
+	"${FILESDIR}/${PN}-respect-cflags-3.patch"
+	"${FILESDIR}/${P}-progress-parallel.patch"
+	"${FILESDIR}/${P}-curlopt-capath.patch"
+	"${FILESDIR}/${P}-wcurl-CVE-2025-11563.patch"
+)
+
+src_prepare() {
+	default
+
+	eprefixify curl-config.in
+	eautoreconf
+}
+
+# Generates TLS-related configure options based on USE flags.
+# Outputs options suitable for appending to a configure options array.
+_get_curl_tls_configure_opts() {
+	local tls_opts=()
+
+	local backend flag_name
+	for backend in gnutls mbedtls openssl rustls; do
+		if [[ "$backend" == "openssl" ]]; then
+			flag_name="ssl"
+			tls_opts+=( "--with-ca-path=${EPREFIX}/etc/ssl/certs")
+		else
+			flag_name="$backend"
+		fi
+
+		if use "$backend"; then
+			tls_opts+=( "--with-${flag_name}" )
+		else
+			# If a single backend is enabled, 'ssl' is required, openssl is the default / fallback
+			if ! [[ "$backend" == "openssl" ]]; then
+				tls_opts+=( "--without-${flag_name}" )
+			fi
+		fi
+	done
+
+	if use curl_ssl_gnutls; then
+		multilib_is_native_abi && einfo "Default TLS backend: gnutls"
+		tls_opts+=( "--with-default-ssl-backend=gnutls" )
+	elif use curl_ssl_mbedtls; then
+		multilib_is_native_abi && einfo "Default TLS backend: mbedtls"
+		tls_opts+=( "--with-default-ssl-backend=mbedtls" )
+	elif use curl_ssl_openssl; then
+		multilib_is_native_abi && einfo "Default TLS backend: openssl"
+		tls_opts+=( "--with-default-ssl-backend=openssl" )
+	elif use curl_ssl_rustls; then
+		multilib_is_native_abi && einfo "Default TLS backend: rustls"
+		tls_opts+=( "--with-default-ssl-backend=rustls" )
+	else
+		eerror "We can't be here because of REQUIRED_USE."
+		die "Please file a bug, hit impossible condition w/ USE=ssl handling."
+	fi
+
+	# Explicitly Disable unimplemented backends
+	tls_opts+=(
+		--without-amissl
+		--without-wolfssl
+	)
+
+	printf "%s\n" "${tls_opts[@]}"
+}
+
+multilib_src_configure() {
+	# We make use of the fact that later flags override earlier ones
+	# So start with all ssl providers off until proven otherwise
+	# TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
+	local myconf=()
+
+	myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt  )
+	if use ssl; then
+		local -a tls_backend_opts
+		readarray -t tls_backend_opts < <(_get_curl_tls_configure_opts)
+		myconf+=("${tls_backend_opts[@]}")
+		if use quic; then
+			myconf+=(
+				$(use_with curl_quic_ngtcp2 ngtcp2)
+				$(use_with curl_quic_openssl openssl-quic)
+			)
+		else
+			# Without a REQUIRED_USE to ensure that QUIC was requested when at least one default backend is
+			# enabled we need ensure that we don't try to build QUIC support
+			myconf+=( --without-ngtcp2 --without-openssl-quic )
+		fi
+	else
+		myconf+=( --without-ssl )
+		einfo "SSL disabled"
+	fi
+
+	# These configuration options are organised alphabetically by category/type
+
+	# Protocols
+	# `grep SUPPORT_PROTOCOLS=\" configure.ac | awk '{ print substr($2, 1, length($2)-1)}' | sort`
+	# Assume that anything omitted (that is not new!) is enabled by default with no deps
+	myconf+=(
+		--enable-file
+		$(use_enable ftp)
+		$(use_enable gopher)
+		--enable-http
+		$(use_enable imap) # Automatic IMAPS if TLS is enabled
+		$(use_enable ldap ldaps)
+		$(use_enable ldap)
+		$(use_enable pop3)
+		$(use_enable samba smb)
+		$(use_with ssh libssh2) # enables scp/sftp
+		$(use_with rtmp librtmp)
+		--enable-rtsp
+		$(use_enable smtp)
+		$(use_enable telnet)
+		$(use_enable tftp)
+		$(use_enable websockets)
+	)
+
+	# Keep various 'HTTP-flavoured' options together
+	myconf+=(
+		$(use_enable alt-svc)
+		$(use_enable hsts)
+		$(use_enable httpsrr)
+		$(use_with http2 nghttp2)
+		$(use_with http3 nghttp3)
+	)
+
+	# --enable/disable options
+	# `grep -- --enable configure | grep Check | awk '{ print $4 }' | sort`
+	myconf+=(
+		$(use_enable adns ares)
+		--enable-aws
+		--enable-basic-auth
+		--enable-bearer-auth
+		--enable-cookies
+		--enable-dateparse
+		--enable-dict
+		--enable-digest-auth
+		--enable-dnsshuffle
+		--enable-doh
+		$(use_enable ech)
+		--enable-http-auth
+		--enable-ipv6
+		--enable-kerberos-auth
+		--enable-largefile
+		--enable-manual
+		--enable-mime
+		--enable-negotiate-auth
+		--enable-netrc
+		--enable-ntlm
+		--enable-progress-meter
+		--enable-proxy
+		--enable-rt
+		--enable-socketpair
+		--disable-sspi
+		$(use_enable static-libs static)
+		--enable-symbol-hiding
+		--enable-tls-srp
+		--disable-versioned-symbols
+	)
+
+	# --with/without options
+	# `grep -- --with configure | grep Check | awk '{ print $4 }' | sort`
+	myconf+=(
+		$(use_with brotli)
+		--with-fish-functions-dir="${EPREFIX}"/usr/share/fish/vendor_completions.d
+		$(use_with idn libidn2)
+		$(use_with kerberos gssapi "${EPREFIX}"/usr)
+		$(use_with sasl-scram libgsasl)
+		$(use_with psl libpsl)
+		--without-quiche
+		--without-schannel
+		--without-winidn
+		--with-zlib
+		--with-zsh-functions-dir="${EPREFIX}"/usr/share/zsh/site-functions
+		$(use_with zstd)
+	)
+
+	# Test deps (disabled)
+	myconf+=(
+		--without-test-caddy
+		--without-test-httpd
+		--without-test-nghttpx
+	)
+
+	if use debug; then
+		myconf+=(
+			--enable-debug
+		)
+	fi
+
+	if use test && multilib_is_native_abi && ( use http2 || use http3 ); then
+		myconf+=(
+			--with-test-nghttpx="${BROOT}/usr/bin/nghttpx"
+		)
+	fi
+
+	# Since 8.12.0 adns/c-ares and the threaded resolver are mutually exclusive
+	# This is in support of some work to enable `httpsrr` to use adns and the rest
+	# of curl to use the threaded resolver; for us `httpsrr` is conditional on adns.
+	if use adns; then
+		myconf+=(
+			--disable-threaded-resolver
+		)
+	else
+		myconf+=(
+			--enable-threaded-resolver
+		)
+	fi
+
+	ECONF_SOURCE="${S}" econf "${myconf[@]}"
+
+	if ! multilib_is_native_abi; then
+		# Avoid building the client (we just want libcurl for multilib)
+		sed -i -e '/SUBDIRS/s:src::' Makefile || die
+		sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
+	fi
+
+}
+
+multilib_src_compile() {
+	default
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts
+	fi
+}
+
+# There is also a pytest harness that tests for bugs in some very specific
+# situations; we can rely on upstream for this rather than adding additional test deps.
+multilib_src_test() {
+	# See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
+	# -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
+	# -v: verbose
+	# -a: keep going on failure (so we see everything that breaks, not just 1st test)
+	# -k: keep test files after completion
+	# -am: automake style TAP output
+	# -p: print logs if test fails
+	# Note: if needed, we can skip specific tests. See e.g. Fedora's packaging
+	# or just read https://github.com/curl/curl/tree/master/tests#run.
+	# Note: we don't run the testsuite for cross-compilation.
+	# Upstream recommend 7*nproc as a starting point for parallel tests, but
+	# this ends up breaking when nproc is huge (like -j80).
+	# The network sandbox causes tests 241 and 1083 to fail; these are typically skipped
+	# as most gentoo users don't have an 'ip6-localhost'
+	multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p -j$((2*$(makeopts_jobs))) !241 !1083"
+}
+
+multilib_src_install() {
+	emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi; then
+		# Shell completions
+		! tc-is-cross-compiler && emake -C scripts DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+	rm -rf "${ED}"/etc/ || die
+}
+
+pkg_postinst() {
+	if use debug; then
+		ewarn "USE=debug has been selected, enabling debug codepaths and making cURL extra verbose."
+		ewarn "Use this _only_ for testing. Debug builds should _not_ be used in anger."
+		ewarn "hic sunt dracones; you have been warned."
+	fi
+}

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-8.17.0.ebuild

@@ -102,7 +102,7 @@ REQUIRED_USE="
 # - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support)
 # - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com)
 RDEPEND="
-	>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
+	>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
 	adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
 	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
 	http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )

sdk_container/src/third_party/portage-stable/net-misc/curl/curl-9999.ebuild

@@ -102,7 +102,7 @@ REQUIRED_USE="
 # - https://github.com/curl/curl/pull/18820 (Deprecate OpenSSL QUIC support)
 # - https://github.com/curl/curl/issues/18336 (curl w/ OpenSSL QUIC fails to fetch Google.com)
 RDEPEND="
-	>=sys-libs/zlib-1.2.5[${MULTILIB_USEDEP}]
+	>=virtual/zlib-1.2.5:=[${MULTILIB_USEDEP}]
 	adns? ( >=net-dns/c-ares-1.16.0:=[${MULTILIB_USEDEP}] )
 	brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
 	http2? ( >=net-libs/nghttp2-1.15.0:=[${MULTILIB_USEDEP}] )

sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-curlopt-capath.patch

@@ -0,0 +1,289 @@
+https://github.com/curl/curl/pull/19408
+
+From f36ab2dd6f33b9a9c069a034cf4f1451006d0f21 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Sat, 8 Nov 2025 14:28:38 +0100
+Subject: [PATCH 1/4] fix --capath use
+
+A regression in curl 8.17.0 led to a customer CAPATH set by the application
+(or the curl command) to be ignored unless licurl was built with a default
+CAPATH.
+
+Add test cases using `--capath` on the custom pytest CA, generated with
+the help of the openssl command when available.
+
+refs #19401
+---
+ lib/vtls/vtls.c               |  4 ++--
+ tests/http/test_17_ssl_use.py | 23 +++++++++++++++++++++++
+ tests/http/testenv/certs.py   | 16 ++++++++++++++++
+ tests/http/testenv/curl.py    |  3 ++-
+ tests/http/testenv/env.py     | 20 ++++++++++++++++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 3b7a095c8b75..3858cad98312 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -310,7 +310,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
+       if(result)
+         return result;
+     }
+-    sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH];
+ #endif
+ #ifdef CURL_CA_BUNDLE
+     if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE]) {
+@@ -322,6 +321,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
+   }
+   sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE];
+   sslc->primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
++  sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH];
+   sslc->primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
+   sslc->primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
+   sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST];
+@@ -358,7 +358,6 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
+       if(result)
+         return result;
+     }
+-    sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
+ #endif
+ #ifdef CURL_CA_BUNDLE
+     if(!sslc->custom_cafile && !set->str[STRING_SSL_CAFILE_PROXY]) {
+@@ -370,6 +369,7 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
+ #endif
+   }
+   sslc->primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
++  sslc->primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
+   sslc->primary.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
+   sslc->primary.cipher_list13 = data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
+   sslc->primary.pinned_key = data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
+diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
+index 57e1c014042b..20b6fdaef18b 100644
+--- a/tests/http/test_17_ssl_use.py
++++ b/tests/http/test_17_ssl_use.py
+@@ -597,3 +597,26 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
+         ])
+         # expect NOT_IMPLEMENTED or OK
+         assert r.exit_code in [0, 2], f'{r.dump_logs()}'
++
++    @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
++    def test_17_21_capath_valid(self, env: Env, httpd):
++        proto = 'http/1.1'
++        curl = CurlClient(env=env)
++        url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
++        r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
++            '--capath', os.path.join(env.gen_dir, 'ca/hashdir')
++        ])
++        assert r.exit_code == 0, f'{r.dump_logs()}'
++        assert r.json['HTTPS'] == 'on', f'{r.json}'
++
++    @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
++    def test_17_22_capath_invalid(self, env: Env, httpd):
++        proto = 'http/1.1'
++        curl = CurlClient(env=env)
++        url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
++        r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
++            '--capath', os.path.join(env.gen_dir, 'ca/invalid')
++        ])
++        # CURLE_PEER_FAILED_VERIFICATION
++        assert r.exit_code == 60, f'{r.dump_logs()}'
++
+diff --git a/tests/http/testenv/certs.py b/tests/http/testenv/certs.py
+index e59b1ea147e1..c9a30aaac065 100644
+--- a/tests/http/testenv/certs.py
++++ b/tests/http/testenv/certs.py
+@@ -28,6 +28,8 @@
+ import ipaddress
+ import os
+ import re
++import shutil
++import subprocess
+ from datetime import timedelta, datetime, timezone
+ from typing import List, Any, Optional
+ 
+@@ -200,6 +202,10 @@ def pkey_file(self) -> Optional[str]:
+     def combined_file(self) -> Optional[str]:
+         return self._combined_file
+ 
++    @property
++    def hashdir(self) -> Optional[str]:
++        return os.path.join(self._store.path, 'hashdir')
++
+     def get_first(self, name) -> Optional['Credentials']:
+         creds = self._store.get_credentials_for_name(name) if self._store else []
+         return creds[0] if len(creds) else None
+@@ -236,6 +242,16 @@ def issue_cert(self, spec: CertificateSpec,
+             creds.issue_certs(spec.sub_specs, chain=subchain)
+         return creds
+ 
++    def create_hashdir(self, openssl):
++        os.makedirs(self.hashdir, exist_ok=True)
++        p = subprocess.run(args=[
++            openssl, 'x509', '-hash', '-noout', '-in', self.cert_file
++        ], capture_output=True, text=True)
++        if p.returncode != 0:
++            raise Exception(f'openssl failed to compute cert hash: {p}')
++        cert_hname = f'{p.stdout.strip()}.0'
++        shutil.copy(self.cert_file, os.path.join(self.hashdir, cert_hname))
++
+ 
+ class CertStore:
+ 
+diff --git a/tests/http/testenv/curl.py b/tests/http/testenv/curl.py
+index dc885ab8cba9..a92e4f681f34 100644
+--- a/tests/http/testenv/curl.py
++++ b/tests/http/testenv/curl.py
+@@ -987,7 +987,8 @@ def _complete_args(self, urls, timeout=None, options=None,
+                 pass
+             elif insecure:
+                 args.append('--insecure')
+-            elif active_options and "--cacert" in active_options:
++            elif active_options and ("--cacert" in active_options or \
++                    "--capath" in active_options):
+                 pass
+             elif u.hostname:
+                 args.extend(["--cacert", self.env.ca.cert_file])
+diff --git a/tests/http/testenv/env.py b/tests/http/testenv/env.py
+index ff8741530b70..859b704a35a3 100644
+--- a/tests/http/testenv/env.py
++++ b/tests/http/testenv/env.py
+@@ -199,6 +199,16 @@ def __init__(self, pytestconfig: Optional[pytest.Config] = None,
+             ]),
+         ]
+ 
++        self.openssl = 'openssl'
++        p = subprocess.run(args=[self.openssl, 'version'],
++                           capture_output=True, text=True)
++        if p.returncode != 0:
++            # no openssl in path
++            self.openssl = None
++            self.openssl_version = None
++        else:
++            self.openssl_version = p.stdout.strip()
++
+         self.nghttpx = self.config['nghttpx']['nghttpx']
+         if len(self.nghttpx.strip()) == 0:
+             self.nghttpx = None
+@@ -372,6 +382,10 @@ def setup_incomplete() -> bool:
+     def incomplete_reason() -> Optional[str]:
+         return Env.CONFIG.get_incomplete_reason()
+ 
++    @staticmethod
++    def have_openssl() -> bool:
++        return Env.CONFIG.openssl is not None
++
+     @staticmethod
+     def have_nghttpx() -> bool:
+         return Env.CONFIG.nghttpx is not None
+@@ -548,6 +562,8 @@ def issue_certs(self):
+                                               store_dir=ca_dir,
+                                               key_type="rsa2048")
+                 self._ca.issue_certs(self.CONFIG.cert_specs)
++                if self.have_openssl():
++                    self._ca.create_hashdir(self.openssl)
+ 
+     def setup(self):
+         os.makedirs(self.gen_dir, exist_ok=True)
+@@ -703,6 +719,10 @@ def ws_port(self) -> int:
+     def curl(self) -> str:
+         return self.CONFIG.curl
+ 
++    @property
++    def openssl(self) -> Optional[str]:
++        return self.CONFIG.openssl
++
+     @property
+     def httpd(self) -> str:
+         return self.CONFIG.httpd
+
+From 02a595146a0bd3036f653ec48d5bfc9a0187ab75 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Sat, 8 Nov 2025 14:37:22 +0100
+Subject: [PATCH 2/4] use correct hashdir
+
+---
+ tests/http/test_17_ssl_use.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
+index 20b6fdaef18b..0019bb1239d2 100644
+--- a/tests/http/test_17_ssl_use.py
++++ b/tests/http/test_17_ssl_use.py
+@@ -604,7 +604,7 @@ def test_17_21_capath_valid(self, env: Env, httpd):
+         curl = CurlClient(env=env)
+         url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
+         r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+-            '--capath', os.path.join(env.gen_dir, 'ca/hashdir')
++            '--capath', env.ca.hashdir
+         ])
+         assert r.exit_code == 0, f'{r.dump_logs()}'
+         assert r.json['HTTPS'] == 'on', f'{r.json}'
+@@ -619,4 +619,3 @@ def test_17_22_capath_invalid(self, env: Env, httpd):
+         ])
+         # CURLE_PEER_FAILED_VERIFICATION
+         assert r.exit_code == 60, f'{r.dump_logs()}'
+-
+
+From 5a952c670b0cf6e5735c2178014600af062390c4 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Sat, 8 Nov 2025 14:50:23 +0100
+Subject: [PATCH 3/4] test_17_21 skip for rustls test_17_22 accept error 77 as
+ well
+
+---
+ tests/http/test_17_ssl_use.py | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
+index 0019bb1239d2..76f20080b3d6 100644
+--- a/tests/http/test_17_ssl_use.py
++++ b/tests/http/test_17_ssl_use.py
+@@ -600,6 +600,8 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
+ 
+     @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
+     def test_17_21_capath_valid(self, env: Env, httpd):
++        if env.curl_uses_lib('rustls'):
++            pytest.skip('rustls does not support CURLOPT_CAPATH')
+         proto = 'http/1.1'
+         curl = CurlClient(env=env)
+         url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
+@@ -611,11 +613,13 @@ def test_17_21_capath_valid(self, env: Env, httpd):
+ 
+     @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
+     def test_17_22_capath_invalid(self, env: Env, httpd):
++        # we can test all TLS backends here. the ones not supporting CAPATH
++        # need to fail as well as the ones which do, but get an invalid path.
+         proto = 'http/1.1'
+         curl = CurlClient(env=env)
+         url = f'https://{env.authority_for(env.domain1, proto)}/curltest/sslinfo'
+         r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+             '--capath', os.path.join(env.gen_dir, 'ca/invalid')
+         ])
+-        # CURLE_PEER_FAILED_VERIFICATION
+-        assert r.exit_code == 60, f'{r.dump_logs()}'
++        # CURLE_PEER_FAILED_VERIFICATION or CURLE_SSL_CACERT_BADFILE
++        assert r.exit_code in [60, 77], f'{r.dump_logs()}'
+
+From 10d57fbbe4c1036780d36feed6f55a87307c6e25 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Sat, 8 Nov 2025 14:58:25 +0100
+Subject: [PATCH 4/4] use 'rustls-ffi' to check for rustsls backend
+
+---
+ tests/http/test_17_ssl_use.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
+index 76f20080b3d6..615658f06c01 100644
+--- a/tests/http/test_17_ssl_use.py
++++ b/tests/http/test_17_ssl_use.py
+@@ -600,7 +600,7 @@ def test_17_20_correct_pin(self, env: Env, proto, httpd):
+ 
+     @pytest.mark.skipif(condition=not Env.have_openssl(), reason="needs openssl command")
+     def test_17_21_capath_valid(self, env: Env, httpd):
+-        if env.curl_uses_lib('rustls'):
++        if env.curl_uses_lib('rustls-ffi'):
+             pytest.skip('rustls does not support CURLOPT_CAPATH')
+         proto = 'http/1.1'
+         curl = CurlClient(env=env)
+

sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-progress-parallel.patch

@@ -0,0 +1,54 @@
+https://github.com/curl/curl/pull/19383
+
+From a5038ff41f83907c896a41716f4f78a80a144cd1 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Thu, 6 Nov 2025 12:47:33 +0100
+Subject: [PATCH] curl: fix progress meter in parallel mode
+
+With `check_finished()` triggered by notifications now, the
+`progress_meter()` was no longer called at regular intervals.
+
+Move `progress_meter()` out of `check_finishe()` into the perform
+loop and event callbacks.
+---
+ src/tool_operate.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index 74f5da5fa915..e1f61a2ba519 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -1549,6 +1549,7 @@ static void on_uv_socket(uv_poll_t *req, int status, int events)
+ 
+   curl_multi_socket_action(c->uv->s->multi, c->sockfd, flags,
+                            &c->uv->s->still_running);
++  progress_meter(c->uv->s->multi, &c->uv->s->start, FALSE);
+ }
+ 
+ /* callback from libuv when timeout expires */
+@@ -1561,6 +1562,7 @@ static void on_uv_timeout(uv_timer_t *req)
+   if(uv && uv->s) {
+     curl_multi_socket_action(uv->s->multi, CURL_SOCKET_TIMEOUT, 0,
+                              &uv->s->still_running);
++    progress_meter(uv->s->multi, &uv->s->start, FALSE);
+   }
+ }
+ 
+@@ -1733,7 +1735,6 @@ static CURLcode check_finished(struct parastate *s)
+   int rc;
+   CURLMsg *msg;
+   bool checkmore = FALSE;
+-  progress_meter(s->multi, &s->start, FALSE);
+   do {
+     msg = curl_multi_info_read(s->multi, &rc);
+     if(msg) {
+@@ -1875,6 +1876,8 @@ static CURLcode parallel_transfers(CURLSH *share)
+       s->mcode = curl_multi_poll(s->multi, NULL, 0, 1000, NULL);
+       if(!s->mcode)
+         s->mcode = curl_multi_perform(s->multi, &s->still_running);
++
++      progress_meter(s->multi, &s->start, FALSE);
+     }
+ 
+     (void)progress_meter(s->multi, &s->start, TRUE);
+

sdk_container/src/third_party/portage-stable/net-misc/curl/files/curl-8.17.0-wcurl-CVE-2025-11563.patch

@@ -0,0 +1,27 @@
+https://bugs.gentoo.org/966140
+https://github.com/curl/wcurl/commit/65546bae0164a97d89d42176e366d9c7c7796261
+
+From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@xry111.site>
+Date: Sun, 9 Nov 2025 14:30:34 +0800
+Subject: [PATCH] wcurl: Really fix CVE-2025-11563
+
+When we pass a string to is_safe_percent_encode, it always begins with
+"%'.  But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
+nothing can be matched.
+
+Also update the test suite to fix the false positive.
+
+Signed-off-by: Xi Ruoyao <xry111@xry111.site>
+
+--- a/scripts/wcurl
++++ b/scripts/wcurl
+@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\
+ # characters.
+ # 2F = /
+ # 5C = \
+-readonly UNSAFE_PERCENT_ENCODE="2F 5C"
++readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
+ 
+ # Whether to invoke curl or not.
+ DRY_RUN="false"