tls: update BoringSSL to c5ad6dcb (4491).

[PiotrSikora]

Fixes #16105.

Signed-off-by: Piotr Sikora piotrsikora@google.com

[repokitteh-read-only]

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).

🐱

Caused by: #16104 was opened by PiotrSikora.

see: more, trace.

[PiotrSikora]

@moderation This patch is lifted from https://boringssl-review.googlesource.com/c/boringssl/+/47084, so we have to carry it until it reaches Chromium Stable channel that we follow for BoringSSL.

[moderation]

@PiotrSikora can we add a comment and TODO explaining that

[htuch]

@PiotrSikora ETA until it reaches Chromium stable?

[PiotrSikora]

@PiotrSikora ETA until it reaches Chromium stable?

Beta on 6/3, Stable on 7/20 (see: https://chromiumdash.appspot.com/schedule).

We flip back and forth between Stable and Beta, depending on QUICHE needs, so we could update it on 6/3 if you prefer to get rid of the patch before the release.

[PiotrSikora]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Check envoy-presubmit didn't fail.

🐱

Caused by: a #16104 (comment) was created by @PiotrSikora.

see: more, trace.

[PiotrSikora]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #16104 (comment) was created by @PiotrSikora.

see: more, trace.

[htuch]

Does being on stable confer any security or stability benefit (yes, I know it's in the name, but beta means a lot of different things on a per project basis)?

[PiotrSikora]

Does being on stable confer any security or stability benefit (yes, I know it's in the name, but beta means a lot of different things on a per project basis)?

I don't believe so, the only advantage (for me) are the regular updates every 6 weeks (changing to every 4 weeks later this year) when following Chromium vs bumping BoringSSL dependency every day/week when following master.

As far as I recall, @mattklein123 always preferred following Chromium Stable because then it's a more widely tested version than a random commit from master.

[moderation]

See prior conversation about BoringSSL version at #15181 (comment). At that time we merged a version that was not stable so I think this is OK. As per prior comment I'd like to see a comment and TODO with how the patch gets fixed in the future and who owns the TODO. It makes tracking down a patch owner must easier

[PiotrSikora]

See prior conversation about BoringSSL version at #15181 (comment). At that time we merged a version that was not stable so I think this is OK.

Could you elaborate on what is OK? Do you mean that we should switch to following BoringSSL's master branch?

As per prior comment I'd like to see a comment and TODO with how the patch gets fixed in the future and who owns the TODO. It makes tracking down a patch owner must easier

I've added a comment already (see: https://github.com/envoyproxy/envoy/pull/16104/files#diff-0eb42e688409aad0b08239fc702eb26298453f95089f74d02a3cfc5ae91612a9R2).

That's a cherry-pick of a commit merged upstream, so it will be removed once we catch-up with the BoringSSL version that contains it. I can add more text if you can provide it, since I'm not sure what else you want me to add there.

[moderation]

Could you elaborate on what is OK? Do you mean that we should switch to following BoringSSL's master branch?

I was pointing out the we have used a pre-master branch of BoringSSL in the past but this PR doesn't change the dependency so my comment isn't relevant.

Your comment in the patch doesn't talk about what occurs to allow for removal of the patch and who has the TODO. The information in #16104 (comment) and #16104 (comment) provides a lot more context.

[PiotrSikora]

I was pointing out the we have used a pre-master branch of BoringSSL in the past but this PR doesn't change the dependency so my comment isn't relevant.

Oh, but it does... if we update BoringSSL to master, then we don't need to cherry-pick that commit and carry it as a patch, since it will be already included.

I think that decision is ultimately up to @envoyproxy/dependency-shepherds?

[yanavlasov]

Are we ok with this PR as it is? It is not clear from the comments.

[PiotrSikora]

I think we (or at least me) are waiting for the decision from @envoyproxy/dependency-shepherds whether we should follow BoringSSL master or version from the Chromium's Stable channel.

[moderation]

Confused too. From what I can see this PR changes a single file bazel/boringssl_static.patch. It doesn't change the BoringSSL version. However @PiotrSikora says it does change the BoringSSL version in #16104 (comment). Is there another PR associated with this single file PR? As per above I'm suggesting a simple TODO and comment saying what needs to happen to remove the patch and who owns the patch.

[PiotrSikora]

Confused too. From what I can see this PR changes a single file bazel/boringssl_static.patch. It doesn't change the BoringSSL version. However @PiotrSikora says it does change the BoringSSL version in #16104 (comment).

I never said that this (or any other) PR changes the version of BoringSSL.

I said that you comment (#16104 (comment)) is relevant, because we have 2 options to enable those optimizations:

1. Update BoringSSL to the master branch, which already includes the commit in question.
2. Carry that commit as a patch until it lands in the version of BoringSSL used in Chromium Stable.

This PR carries the patch (i.e. option (2)), but you've mentioned that using BoringSSL version different from Chromium Stable was fine in the past, so if we're fine with following master branch, then we can simply update BoringSSL instead of carrying this patch (i.e. option (1)), and I'm waiting for a confirmation that this is what you want to do.

[moderation]

I think I get it now. We really don't want to carry patches if possible and we would rather be on Chromium stable. However we are currently using a Chromium beta channel BoringSSL and the comment I linked to would indicate that using a closer to head BoringSSL should be OK.

Could we switch to the Chromium Dev channel and get the BoringSSL version we need to avoid the patch? https://chromiumdash.appspot.com/releases?platform=Linux ? The Dev channel has 2 92 releases already.

My vote is to go to Chromium Dev channel with no patch. If we don't want to proceed with the Dev channel my vote is to carry the patch until Beta arrives on 6/3. /cc @htuch

Definitely want to unblock this to get better aarch64 CPU performance

[PiotrSikora]

@moderation done.

[moderation]

/lgtm deps

[PiotrSikora]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #16104 (comment) was created by @PiotrSikora.

see: more, trace.