Skip to content

Use system pycurl packages instead of pip installation#13994

Closed
valentijnscholten wants to merge 2 commits intoDefectDojo:devfrom
valentijnscholten:remove-pycurl
Closed

Use system pycurl packages instead of pip installation#13994
valentijnscholten wants to merge 2 commits intoDefectDojo:devfrom
valentijnscholten:remove-pycurl

Conversation

@valentijnscholten
Copy link
Copy Markdown
Member

@valentijnscholten valentijnscholten commented Dec 29, 2025
edited
Loading

Description

Remove pycurl from requirements.txt and use OS-provided system packages instead to eliminate the need for compilation during Docker builds.

Why Remove pycurl from requirements.txt?

1. pycurl is NOT directly used by DefectDojo

$ grep -r "import.*pycurl\|from.*pycurl" dojo/
# No results - pycurl is never imported in DefectDojo code

pycurl is only a transitive dependency for Celery's SQS broker transport. It's only needed when DD_CELERY_BROKER_SCHEME=sqs is configured.

2. No binary wheels for Linux

pycurl does not provide pre-compiled manylinux or musllinux wheels, requiring compilation from source during every Docker build. This requires:

  • curl-dev / libcurl4-openssl-dev headers
  • gcc and build tools
  • PYCURL_SSL_LIBRARY=openssl environment variable

3. System packages are available and well-maintained

Platform Package Version
Debian Trixie python3-pycurl 7.45.6
Alpine 3.22 py3-curl 7.45.6

Both provide the same version, ensuring consistency across image variants.

Impact on Users

  • SQS users: No change - pycurl is still available via system packages
  • Non-SQS users: No change - pycurl was never used anyway
  • Local development: Developers not using Docker using SQS locally need to install pycurl manually (pip install pycurl or system package)

@valentijnscholten
Use system pycurl packages instead of pip installation
b398d44 
Remove pycurl from requirements.txt and use OS-provided packages instead:
- Debian: python3-pycurl (7.45.6)
- Alpine: py3-curl (7.45.6)

Benefits:
- Eliminates pycurl compilation during Docker builds
- Removes need for curl-dev/libcurl4-openssl-dev build dependencies
- Faster Docker image builds
- Consistent pycurl version across Debian and Alpine images

pycurl is only needed for Celery SQS broker support. It is not directly
imported by DefectDojo code - it's a transitive dependency that Celery
uses when configured with an SQS broker (DD_CELERY_BROKER_SCHEME=sqs).

The system packages provide the same functionality without requiring
compilation toolchains in the Docker build stage.
@valentijnscholten valentijnscholten added this to the 2.55.0 milestone Dec 29, 2025
@valentijnscholten valentijnscholten mentioned this pull request Dec 30, 2025
Merged
@valentijnscholten
Copy link
Copy Markdown
Member Author

valentijnscholten commented Dec 30, 2025

Now that is looks like we will keep building our own pscyopg and uwsgi packages, moving pycurl to a system package has limited benefits. I created #14004 instead to use the recommened way to install celery + sqs dependencies.

@valentijnscholten
Copy link
Copy Markdown
Member Author

valentijnscholten commented Dec 31, 2025

Closing as we're going with #14004

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@rossops rossops Awaiting requested review from rossops

Assignees

No one assigned

Labels

docker

Projects

None yet

Milestone

2.55.0

Development

Successfully merging this pull request may close these issues.

4 participants

@valentijnscholten @Maffooch @Jino-T @blakeaowens