-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: update BoringSSL to c5ad6dcb (4491). #16104
Conversation
b1cf0c0
to
ab03a3d
Compare
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
a6b4fe8
to
97e879d
Compare
@moderation This patch is lifted from https://boringssl-review.googlesource.com/c/boringssl/+/47084, so we have to carry it until it reaches Chromium Stable channel that we follow for BoringSSL. |
@PiotrSikora can we add a comment and TODO explaining that |
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora ETA until it reaches Chromium stable? |
Beta on 6/3, Stable on 7/20 (see: https://chromiumdash.appspot.com/schedule). We flip back and forth between Stable and Beta, depending on QUICHE needs, so we could update it on 6/3 if you prefer to get rid of the patch before the release. |
/retest |
Retrying Azure Pipelines: |
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
/retest |
Retrying Azure Pipelines: |
Does being on stable confer any security or stability benefit (yes, I know it's in the name, but beta means a lot of different things on a per project basis)? |
I don't believe so, the only advantage (for me) are the regular updates every 6 weeks (changing to every 4 weeks later this year) when following Chromium vs bumping BoringSSL dependency every day/week when following As far as I recall, @mattklein123 always preferred following Chromium Stable because then it's a more widely tested version than a random commit from |
See prior conversation about BoringSSL version at #15181 (comment). At that time we merged a version that was not stable so I think this is OK. As per prior comment I'd like to see a comment and TODO with how the patch gets fixed in the future and who owns the TODO. It makes tracking down a patch owner must easier |
Could you elaborate on what is OK? Do you mean that we should switch to following BoringSSL's
I've added a comment already (see: https://github.com/envoyproxy/envoy/pull/16104/files#diff-0eb42e688409aad0b08239fc702eb26298453f95089f74d02a3cfc5ae91612a9R2). That's a cherry-pick of a commit merged upstream, so it will be removed once we catch-up with the BoringSSL version that contains it. I can add more text if you can provide it, since I'm not sure what else you want me to add there. |
I was pointing out the we have used a pre-master branch of BoringSSL in the past but this PR doesn't change the dependency so my comment isn't relevant. Your comment in the patch doesn't talk about what occurs to allow for removal of the patch and who has the TODO. The information in #16104 (comment) and #16104 (comment) provides a lot more context. |
Oh, but it does... if we update BoringSSL to I think that decision is ultimately up to @envoyproxy/dependency-shepherds? |
Are we ok with this PR as it is? It is not clear from the comments. |
I think we (or at least me) are waiting for the decision from @envoyproxy/dependency-shepherds whether we should follow BoringSSL |
Confused too. From what I can see this PR changes a single file |
I never said that this (or any other) PR changes the version of BoringSSL. I said that you comment (#16104 (comment)) is relevant, because we have 2 options to enable those optimizations:
This PR carries the patch (i.e. option (2)), but you've mentioned that using BoringSSL version different from Chromium Stable was fine in the past, so if we're fine with following |
I think I get it now. We really don't want to carry patches if possible and we would rather be on Chromium stable. However we are currently using a Chromium beta channel BoringSSL and the comment I linked to would indicate that using a closer to head BoringSSL should be OK. Could we switch to the Chromium Dev channel and get the BoringSSL version we need to avoid the patch? https://chromiumdash.appspot.com/releases?platform=Linux ? The Dev channel has 2 92 releases already. My vote is to go to Chromium Dev channel with no patch. If we don't want to proceed with the Dev channel my vote is to carry the patch until Beta arrives on 6/3. /cc @htuch Definitely want to unblock this to get better aarch64 CPU performance |
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@moderation done. |
/lgtm deps |
/retest |
Retrying Azure Pipelines: |
Fixes envoyproxy#16105. Signed-off-by: Piotr Sikora <piotrsikora@google.com> Signed-off-by: Gokul Nair <gnair@twitter.com>
Fixes #16105.
Signed-off-by: Piotr Sikora piotrsikora@google.com