New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provider cross validation CI runs #20552
Conversation
paulidale
commented
Mar 21, 2023
- documentation is added or updated
- tests are added or updated
e46f756
to
4d0181c
Compare
Cross validation tests are passing. |
7d55157
to
9b25825
Compare
I believe this is still testing too much and it would require too much maintenance that has no real effect. IMO from the released versions we should only test the fips provider against the libcrypto & test suite from all the current branches. The full cross testing should be done only across the tips of the branches. This is sufficient to test that the fips providers are forwards compatible - this is actually the main use-case we need to support. The test suites from the old branches CANNOT in principle be fully compatible with updated providers, otherwise we would not be ever able to change things in providers. So you cannot ever expect the test suite from the 3.0.0 release (or any other release) to fully pass with new fips providers. If I count it properly we should have 3 released fips providers * 3 branches + 3*2 branches tests -> 15 tests and you can also drop the old FIPS provider compat test as that is just duplicate. |
I'm basically doing what you suggest. No release is tested against any other release. Nothing is tested against itself. The old FIPS provider compatibility check is per push not daily, so more timely. Happy to drop it. |
You already have some hacks there such as skipping the ssl tests from 3.0.0 release. I am afraid they will become unmaintainable at some point. I would simply drop the cases where you're running tests from released version tree. |
Isn't it useful to learn when the 3.1.x FIPS provider ceases working with the 3.1.0 release? The test for each version could dropped or limited to branch heads. It should be possible to not rebuild these each run but that's getting into some arcane depths of actions I'd prefer not to touch at the moment. |
I am not sure it is that much useful. I would assume if there is really an incompatibility being introduced the test of 3.0.x branch with the 3.1.x FIPS provider would reveal it as well. And as inevitably this can and will happen you would have to limit the failing test (or patch it somehow) anyway. |
b865839
to
279decb
Compare
https://github.com/openssl/openssl/actions/runs/4558459775 passing with the reduced testing. |
24 hours has passed since 'approval: done' was set, but this PR has failing CI tests. Once the tests pass it will get moved to 'approval: ready to merge' automatically, alternatively please review and set the label manually. |
Trivial edit before merge to remove end of line white space from the new test. |
Tests all released FIPS approved (or in progress) versions against all development branches and each other. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #20552)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #20552)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #20552)