-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
image-rs re-introduce ring version that is incompatible with s390x? #422
Comments
Looks like the latest sigstore pulls "tough" which depends on this old ring... :/ |
sigstore-rs has a dependabot PR open that brings in updated ring. We should just get them to upgrade and cut a new release? |
Let me fix the dep in upstream sigstore-rs. |
pending pr sigstore/sigstore-rs#320 |
Before we get the upstream fixed, do you think it is urgent that we need to fix by changing the current sigstore-rs rev to my personal repo? @stevenhorsman |
Hey Ding, I'm not completely caught up yet, but I don't think it's super urgent right now. I mostly raised it to try and get a fix once we are ready to merge the image-rs working into kata-agent in |
@stevenhorsman @Xynnn007 I have encountered this problem in guest-pull PR on s390x and ppc64le: How far have we come in addressing this issue? |
Oh. This is a long stack.
I made a PR in sigstore-rs to update What we should do now is
|
@Xynnn007 Correct me if I'm wrong but I believe 2. got added because cosign client could not be built without |
Right. Both will resolve this but the thread you mentioned seems faster as we do not require one more community. I have reviewed the code of that. Either of them is merged could handle the problem of this issue. |
FYI I've created draft PR #491 to add testing of s390x and powerpc64le so when this is fixed we can try and stop any regressions quicker |
https://www.memorysafety.org/blog/rustls-with-aws-crypto-back-end-and-fips/ we might want to use AWS' backend via feature flag if that compiles on S390x |
It's a good idea, but the fully replacement of |
ahh, it's a transitive dep. yes, this won't help. |
Fixes confidential-containers#422 Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Fixes #422 Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
I believe the topic worth discussing is can we default to one stack on all platforms/architectures going forward to reduce dependencies and simplify the code base/features. |
We once bring openssl and ring the two different stacks for different platforms. The updations upon ring make it clearer we might not need to, which means we can deprecate all openssl features and deps and convert to ring -- or the opposite, as now the code stack can be built on both stack. |
+1, this was the thinking behind my comment. There could be alternatives too, e.g., what @mkulke shared above. It's probably not an urgent move to make but a potential goal we can discuss and agree upon. |
I'm not completely sure what the situation is, so apologies if this isn't clear.
During testing of kata-containers/kata-containers#8670, we ran the kata-agent build with a new commit from image-rs and they failed with:
I know ring didn't use to support s390x. That got added in October in briansmith/ring#1297, but 0.16.20 is ~3 years old, so it won't be in there. I know that Ding did some work to ensure that ring wasn't needed to unblock s390x builds of image-rs, has that been undone recently?
It seems to be commit 4ddac38 that introduced this issue as a151bca worked, so we just used that one in the end, but once we re-integrate image-rs with kata-containers we'll hit this issue.
For some of the other guest-components projects we have Makefiles to make it easier to build for multiple architectures and added workflows:
guest-components/.github/workflows/cdh_basic.yml
Lines 59 to 61 in 5d4bb95
The text was updated successfully, but these errors were encountered: