Bundled libcurl is used even if `static-curl` feature is not present

[Shnatsel]

Right now curl-rust will silently fall back to statically linking the bundled version of libcurl, even if static-curl feature is not present.

This present a security issue: if you have configured the build to dynamically link to libcurl, it is reasonable to assume that updating the system-wide libcurl is sufficient to mitigate any outstanding CVEs. But in reality curl-rust may have silently fallen back to a bundled libcurl, which is still vulnerable.

[sagebind]

Not commenting on the security aspect, but throwing an error at compile time if we can't link to a system-wide libcurl instead of defaulting to the bundled version would make it more annoying for consumers of the crate to depend on. There are probably a ton of crates built in a lot of environments that would no longer compile if we made this change. We'd absolutely have to treat it as a breaking change.

[Shnatsel]

Yes, I believe it is best to treat this as a breaking change and make a new major release.

[alexcrichton]

Thanks for the report, but "always working" is a feature of this crate and I do not want to require an opt-in to build the bundled version.

[Shnatsel]

You misunderstand: I'm not trying to dispute the defaults, what I'm looking for is a reliable way to opt out of static linking.

[alexcrichton]

If that desired that sounds ok to me, feel free to send a PR!

[Shnatsel]

Yes, it is essential for cases where you care about security of the system. If you're not opposed to this, could you reopen the issue so that we'd have a way to track this work item?