Curl Removed From Omnibus-GitLab FIPS Packages in 19.0

FIPS (Federal Information Processing Standards) compliance has long required enterprises to rely on vetted cryptographic libraries supplied by the operating system rather than third‑party bundles. GitLab’s Omnibus packages traditionally bundled many dependencies, but for FIPS builds it already linked to the distro’s OpenSSL. Extending this model to curl eliminates a parallel maintenance track, ensuring that the entire cryptographic stack originates from a single, audited source, which simplifies audits and reduces the attack surface for regulated customers.

The technical catalyst for the change is curl 8.18.0’s decision to deprecate compilation against OpenSSL 1.x. This broke GitLab’s custom curl on platforms that still ship OpenSSL 1.x, notably Amazon Linux 2, AlmaLinux 8, and other RHEL 8‑based distributions used by many FIPS customers. By delegating curl to the host OS, GitLab sidesteps compatibility issues and leverages the distro’s own security update pipeline. The approach also future‑proofs the package, as newer distributions already pair curl with OpenSSL 3.0 or later.

For self‑managed GitLab administrators, the practical impact is modest: the product will continue to operate without configuration changes, but responsibility for curl patches now rests with the underlying OS. Teams should integrate curl version checks into their vulnerability‑scanning tools and establish regular OS update cycles to stay compliant. The shift also means that security scanners will report the host‑OS curl version, aligning findings with other FIPS components. Overall, the move streamlines GitLab’s FIPS offering while placing a clear maintenance duty on customers, a trade‑off that aligns with industry best practices for regulated environments.