Using prebuilt LibreSSL binaries on Windows

[SeanTAllen]

Right now, building Pony projects that use the ssl package on Windows requires users to compile LibreSSL from source. The make.ps1 script handles this by downloading LibreSSL 3.9.1, building it with CMake and MSVC, and copying the resulting .lib files into the project root. It works, but it means every Windows user needs CMake installed and has to wait for a C library to compile before they can build anything.

Since v3.8.3, LibreSSL publishes prebuilt Windows static libraries for every release on their GitHub releases page. They ship three architectures: x86, x86-64, and ARM64. Each zip contains ssl.lib, crypto.lib, and tls.lib, built with Visual Studio 2022 in Release configuration. The system dependencies are just ws2_32, ntdll, and bcrypt, all of which ship with Windows.

There are a few things worth investigating:

Could we bundle these prebuilt libraries directly? The .lib files are static libraries that get linked into the final executable at compile time. Users still need ponyc and an MSVC linker, but they wouldn't need CMake or a LibreSSL build step. The main concern is CRT version compatibility. If LibreSSL is built with one MSVC version and ponyc links with another, you can get subtle issues when allocations cross library boundaries. Since these are static libs (not DLLs), the risk is lower, but it's worth verifying.

Should make.ps1 download prebuilts instead of building from source? Rather than bundling the libs in the repo, make.ps1 could download the appropriate prebuilt zip from LibreSSL's GitHub releases. This keeps the build script self-contained and removes the CMake dependency without committing binary artifacts.

Version pinning. The current make.ps1 pins LibreSSL 3.9.1. If we switch to prebuilts, we'd pin to a specific release tag the same way. The FFI declarations in the ssl package are version-sensitive (OpenSSL 1.1.x vs 3.0.x vs LibreSSL have different function signatures in places), so the LibreSSL version needs to stay in sync with what the Pony wrapper expects.

ARM64. LibreSSL ships ARM64 prebuilts. Pony doesn't support Windows ARM64 today, but if it ever does, the SSL side would already be covered.

The simplest first step would be updating make.ps1 to download the prebuilt zip instead of building from source. That removes the CMake dependency for Windows users and should be a straightforward change.