Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Boring build broken for non-FIPS #641

Closed
nmittler opened this issue Aug 4, 2023 · 5 comments · Fixed by #820
Closed

Boring build broken for non-FIPS #641

nmittler opened this issue Aug 4, 2023 · 5 comments · Fixed by #820
Assignees

Comments

@nmittler
Copy link
Contributor

nmittler commented Aug 4, 2023

For those of us that don't build against the pre-built FIPS binary (e.g. mac users), the build is currently broken due to Boring. It's not clear exactly what is broken, but I recently had this same issue with quinn-boring and fixed it by using the latest commit.

For quinn-boring I actually needed to use the latest commit. We could probably get by using the latest release (https://github.com/cloudflare/boring/tree/v3.0.2).

@howardjohn assigning to you since we're using your branch of Boring currently.

To verify it works:

  1. Comment out the boring env vars in config.toml, and ...
  2. Comment out the default features in cargo.toml

This should force boring to rebuild boringssl from scratch.

@nmittler
Copy link
Contributor Author

FYI, I suspect this is blocked by cloudflare/boring#156.

@bleggett
Copy link
Contributor

bleggett commented Aug 21, 2023

fwiw I gave up trying to rebuild boringssl from scratch on M1 Mac with a macOS/unix target and just use one of

  • a local linux/arm64 VM (lima works nicely and stays out of the way)
  • make shell (effectively linux/arm64)

to do ztunnel builds.

ztunnel has platform conditionals that render non-linux builds mostly useless anyway.

@nmittler
Copy link
Contributor Author

The latest cloudflare boring build works fine for me on M1 osx. It's just that the particular version ztunnel is using is now broken (I assume something changed in upstream boringssl).

ztunnel has platform conditionals that render non-linux builds mostly useless anyway.

While true, there's a lot of development that can still be done without requiring linux. All/most of unit tests run fine on osx, for example.

@bleggett
Copy link
Contributor

bleggett commented Aug 21, 2023

I do think/agree non-FIPS linux builds are something we need to support broadly, since as I've mentioned before FIPS is a massive pain and many orgs/users will not need it, or expressly will not want it (e.g. they will want to use newer crypto libs than the USG certifies).

That being said, without even basic "does it build" CI for $platform+$arch it's going to be effectively impossible to guard against breakage long-term for that $platform+$arch. And we are (probably) never adding ztunnel CI for macOS.

@nmittler
Copy link
Contributor Author

Yeah, I think the main guard against macOS breakage is simply developers for the project (I know I'm not the only one on mac).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants