all: move dev.boringcrypto into main branch behind GOEXPERIMENT #51940
Comments
rsc
added
the
NeedsFix
|
Change https://go.dev/cl/395815 mentions this issue: |
|
Change https://go.dev/cl/395881 mentions this issue: |
|
Change https://go.dev/cl/395879 mentions this issue: |
|
Change https://go.dev/cl/395880 mentions this issue: |
|
Change https://go.dev/cl/395883 mentions this issue: |
|
Change https://go.dev/cl/395884 mentions this issue: |
|
Change https://go.dev/cl/395876 mentions this issue: |
|
Change https://go.dev/cl/395878 mentions this issue: |
|
Change https://go.dev/cl/395882 mentions this issue: |
|
Change https://go.dev/cl/395877 mentions this issue: |
|
@rsc have you considered moving |
…ap toolchain When using Go 1.4 this doesn't matter, but when using Go 1.17, the bootstrap toolchain will complain about unknown GOEXPERIMENT settings. Clearly GOEXPERIMENT is for the toolchain being built, not the bootstrap. For #51940. Change-Id: Iff77204391a5a66f7eecab1c7036ebe77e1a4e82 Reviewed-on: https://go-review.googlesource.com/c/go/+/395879 Trust: Russ Cox <[email protected]> Run-TryBot: Russ Cox <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
|
Change https://go.dev/cl/397894 mentions this issue: |
|
Change https://go.dev/cl/397895 mentions this issue: |
When using Go 1.4 this doesn't matter, but when using Go 1.17, the bootstrap toolchain will complain about unknown GOEXPERIMENT settings. Clearly GOEXPERIMENT is for the toolchain being built, not the bootstrap. Already submitted as CL 395879 on the dev.boringcrypto branch, but needed on master to set up GOEXPERIMENT=boringcrypto builder ahead of merge. For #51940. Change-Id: Ib6a4099cca799b4d5df1974cdb5471adb0fd557d Reviewed-on: https://go-review.googlesource.com/c/go/+/397894 Trust: Russ Cox <[email protected]> Run-TryBot: Russ Cox <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]>
Not hooked up to everything else yet. Copy of CL 395880, for setting up GOEXPERIMENT=boringcrypto builder ahead of merge. For #51940. Change-Id: If842761f77d07329d88748990b95f4b39c2f153a Reviewed-on: https://go-review.googlesource.com/c/go/+/397895 Trust: Russ Cox <[email protected]> Run-TryBot: Russ Cox <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]>
As of CL 397895, GOEXPERIMENT=boringcrypto is understood on the master branch (and is a no-op). This CL adds a linux-amd64-boringcrypto builder in advance of merging actual boringcrypto code behind that GOEXPERIMENT flag. For golang/go#51940. Change-Id: I6611caf8f7a10f334e5343cadaf3b1c1e5bf4b2f Reviewed-on: https://go-review.googlesource.com/c/build/+/395815 Trust: Russ Cox <[email protected]> Run-TryBot: Russ Cox <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
|
Change https://go.dev/cl/402187 mentions this issue: |
|
Change https://go.dev/cl/402182 mentions this issue: |
|
Change https://go.dev/cl/402185 mentions this issue: |
|
Change https://go.dev/cl/402188 mentions this issue: |
|
Change https://go.dev/cl/402189 mentions this issue: |
|
Change https://go.dev/cl/402186 mentions this issue: |
|
Change https://go.dev/cl/402184 mentions this issue: |
|
Change https://go.dev/cl/402596 mentions this issue: |
|
Change https://go.dev/cl/395875 mentions this issue: |
|
Change https://go.dev/cl/413754 mentions this issue: |
|
@rsc I've submitted https://go.dev/cl/413754 which cleans a longstanding |
|
@rsc Is there anything left to do for this issue? |
|
This is all done. |
|
from #51940 (comment):
maybe I misunderstood, but I was not able to get this to work: go build -tags boringcrypto ...This did work (and auto-set a GOEXPERIMENT=boringcrypto go build ... |
|
@rsc Was the new approach of |
|
We don't officially support boringcrypto. To the extent that there was documentation before, it was at https://go.googlesource.com/go/+/refs/heads/dev.boringcrypto/README.boringcrypto.md, and that has been updated. |
|
@liggitt, missed your Aug 5 comment. You found the right answer: GOEXPERIMENT works, -tags does not. I've updated my comment above. |
https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/718 will make Go 1.19 the default for gitlab-shell. Per golang/go#51940, the dev.boringcrypto branch no longer exists, and to support FIPS we need to pass along `GOEXPERIMENT=boringcrypto`. To do this, we just see if this `GOEXPERIMENT` is available with `go version` rather than do some more complicated version-specific comparison.
https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/718 will make Go 1.19 the default for gitlab-shell. Per golang/go#51940, the dev.boringcrypto branch no longer exists, and to support FIPS we need to pass along `GOEXPERIMENT=boringcrypto`. To do this, we just see if this `GOEXPERIMENT` is available with `go version` rather than do some more complicated version-specific comparison.
We can reduce code duplication used for the FIPS check by using LabKit's implementation. LabKit uses the `fips` tag instead of the `boringcrypto` tag, which is deprecated in any case and replaced with `GOEXPERIMENT=boringcrypto` due to golang/go#51940. This commit changes the message on a FIPS system from: ``` FIPS mode enabled. Using BoringSSL. ``` to: ``` FIPS mode is enabled. Using an external SSL library. ``` On a non-FIPS system, this commit changes the message from: ``` GitLab Runner was compiled with FIPS mode but BoringSSL is not enabled. ``` to: ``` Binary was compiled with FIPS mode, but an external SSL library was not enabled. ```
https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/718 will make Go 1.19 the default for gitlab-shell. Per golang/go#51940, the dev.boringcrypto branch no longer exists, and to support FIPS we need to pass along `GOEXPERIMENT=boringcrypto`. To do this, we just see if this `GOEXPERIMENT` is available with `go version` rather than do some more complicated version-specific comparison.
|
👋 everyone, could someone take a look at https://stackoverflow.com/questions/75638176/how-can-i-check-whether-my-golang-app-is-fips-compliant, thanks! |
* Install go "manually" from tarball in ci go-fips container. We need go 1.19 to install go-fips 1.19, and the image only has 1.18. * Specify `GOEXPERIMENT=boringcrypto` when building the fips version of runner. As @stanhu mentions, this is necessary because of https://github.com/golang/go/blob/dev.boringcrypto/README.boringcrypto.md See: * golang/go#51940 * golang-fips/go#59
https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/718 will make Go 1.19 the default for gitlab-shell. Per golang/go#51940, the dev.boringcrypto branch no longer exists, and to support FIPS we need to pass along `GOEXPERIMENT=boringcrypto`. To do this, we just see if this `GOEXPERIMENT` is available with `go version` rather than do some more complicated version-specific comparison.
https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/718 will make Go 1.19 the default for gitlab-shell. Per golang/go#51940, the dev.boringcrypto branch no longer exists, and to support FIPS we need to pass along `GOEXPERIMENT=boringcrypto`. To do this, we just see if this `GOEXPERIMENT` is available with `go version` rather than do some more complicated version-specific comparison.
The dev.boringcrypto branch started out as a bit of an experiment, back in the Go 1.8 time frame. It is clearly here to stay as something that we maintain alongside the main distribution.
Maintaining a whole separate branch is cumbersome, requiring frequent conflict resolution during merges and being just generally painful.
It would be far less upkeep if we kept the boringcrypto code in the main branch behind a GOEXPERIMENT, same as we do for GOEXPERIMENT=fieldtrack. We should do that.
This bug is to track work toward that goal. Generally speaking it will require a little bit of rewriting of parts that we can't reasonably merge and then a bunch of build tags.
The text was updated successfully, but these errors were encountered: