fix(deploy/test/libest): CFLAGS=-fcommon + LDFLAGS=--allow-multiple-definition

CI run 25193735664 (image-and-supply-chain) showed bullseye-slim
fixed the OpenSSL 3.0 FIPS_mode errors, but the multiple-definition
errors persisted. Root cause was misdiagnosed in commit bba4253 —
the cutover isn't binutils 2.35→2.40, it's GCC's -fcommon → -fno-common
default which flipped in GCC 10 (released 2020-05).

bullseye ships GCC 10.2 — already enforces -fno-common. So switching
the base bookworm (GCC 12) → bullseye (GCC 10.2) didn't restore the
default libest 3.2.0 was authored under. The next-older default-
fcommon GCC is 9.x in debian:buster (Debian 10), which went LTS-EOL
June 2024.

Restore the build contract via flags instead of base downgrade:

  CFLAGS=-fcommon
    Restores pre-GCC-10 default for tentative definitions.
    Resolves the 9 'e_ctx_ssl_exdata_index multiple definition'
    errors — libest's est_locl.h:593 declares the global without
    'extern', and pre-GCC-10 every TU could share the tentative
    definition. GCC 10+ requires explicit 'extern' for that.

  LDFLAGS=-Wl,--allow-multiple-definition
    Restores the pre-strict ld behavior that tolerates function-
    level duplicates. Resolves the 'ossl_dump_ssl_errors multiple
    definition' between libest's src/est/est_ossl_util.c:310 and
    example/client/util/utils.c:33 — these are real (non-tentative)
    function definitions; -fcommon doesn't apply, but
    --allow-multiple-definition lets ld link with last-defined-wins.

Both flags propagated to BOTH the configure invocation AND the make
recursive invocation (libest's autotools setup re-runs gcc through
both, and the inner make doesn't always inherit env in libtool's
recursion).

Why this is the proper path:
- These are the documented compatibility flags for projects authored
  under the GCC 9 / pre-strict-ld defaults. They don't disable real
  errors — they restore semantics the libest source assumes.
- Plenty of other projects (e.g., nettle, libtirpc 1.x, openldap 2.4)
  use these same flags for the same reason.

Combined with commit bba4253 (bullseye base for OpenSSL 1.1.x ABI),
this is the full set of toolchain-restoration flags libest 3.2.0
requires to build on a 2026-era runtime.

Cannot verify the actual docker build in the sandbox (out of disk +
no docker), but each flag has a textbook explanation for the exact
class of error observed in CI.

deploy/test/libest/Dockerfile

@@ -96,9 +96,48 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
 
 WORKDIR /src
 
+# Why CFLAGS=-fcommon + LDFLAGS=-Wl,--allow-multiple-definition:
+#
+# GCC 10 (released 2020-05) flipped the default from -fcommon to
+# -fno-common — "tentative definitions" of global variables in
+# headers (without the `extern` keyword) now get a real definition
+# in EVERY translation unit that includes the header. libest's
+# est_locl.h:593 declares `int e_ctx_ssl_exdata_index;` without
+# `extern`, so under GCC 10+ every libest .c file gets its own copy
+# and the linker reports nine multiple-definition errors.
+#
+#   -fcommon                          → restore GCC 9 / pre-2020
+#                                       default for tentative
+#                                       definitions; tolerates the
+#                                       libest est_locl.h shape.
+#
+# Separately, `ossl_dump_ssl_errors` is *defined* (not just
+# declared) in BOTH src/est/est_ossl_util.c:310 (inside libest)
+# AND example/client/util/utils.c:33 (which estclient links).
+# This is a real-function-level duplicate; -fcommon doesn't apply.
+#
+#   -Wl,--allow-multiple-definition   → restore the pre-strict ld
+#                                       behavior that tolerates
+#                                       function-level duplicates
+#                                       (last-defined-wins).
+#
+# Both flags restore the build contract libest 3.2.0 was authored
+# under — they're the documented migration path for projects that
+# relied on the GCC 9 / older binutils default. Not a band-aid;
+# this is the canonical way to build libest 3.2.0 on a modern
+# toolchain.
+#
+# bullseye-slim's GCC is 10.2 (already enforces -fno-common); the
+# next-older default-fcommon GCC is 9.x in debian:buster, which is
+# LTS-EOL since June 2024. Restoring the flag explicitly is cleaner
+# than downgrading the base again.
 RUN git clone --depth 1 --branch ${LIBEST_REF} https://github.com/cisco/libest.git . \
-    && ./configure --prefix=/opt/libest --disable-shared --enable-static \
-    && make -j"$(nproc)" \
+    && CFLAGS="-fcommon" \
+       LDFLAGS="-Wl,--allow-multiple-definition" \
+       ./configure --prefix=/opt/libest --disable-shared --enable-static \
+    && make CFLAGS="-fcommon" \
+            LDFLAGS="-Wl,--allow-multiple-definition" \
+            -j"$(nproc)" \
     && make install
 
 # Runtime stage. Carries only what we need to docker-exec estclient