CI: Bump macOS build to use OpenSSL v3.0 #105538

erlend-aasland · 2023-06-08T22:27:51Z

erlend-aasland · 2023-06-08T22:29:59Z

Not sure about how far we should backport this. I'll leave it to Ned :)

ned-deily · 2023-06-08T22:49:51Z

Not sure about how far we should backport this.

I think it should be the RM's call for each but, based on @gpshead's discussion elsewhere regarding OpenSSL's support policies, I think we definitely should backport to 3.11 and 3.10 and probably also 3.9 and 3.8, given that 1.1.x will be no longer supported before their EOLs. 3.7 should not be backported at the moment at least as all the changes to support 3.0 have not been backported to it and 3.7 is about to hit EOL anyway. Perhaps @pablogsal and @ambv have opinions?

ned-deily · 2023-06-08T22:51:22Z

There is one other related task: ensure that the all of the Homebrew OpenSSL versions we use in the GHA Workflows have been updated to the most recent releases. Last time I looked they weren't.

erlend-aasland · 2023-06-09T05:06:54Z

There is one other related task: ensure that the all of the Homebrew OpenSSL versions we use in the GHA Workflows have been updated to the most recent releases. Last time I looked they weren't.

I added a step that upgrades only openssl@3.0; I'm not sure we should touch the HOMEBREW_NO_AUTO_UPDATE option.

This reverts commit 499db46.

erlend-aasland · 2023-06-09T08:19:26Z

Locally, Homebrew installs OpenSSL 3.0.9, but it seems stuck at v3.0.8 in CI. I tried to disable HOMEBREW_NO_AUTO_UPDATE, but that did not help. Over at my fork, I've also tried to run brew upgrade -f openssl@3.0 (post deps install) and brew fetch -f openssl@3.0 (pre deps install), but none of them seem to have any effect. I'm giving up on this part for now (I don't have the bandwidth to follow this up.)

Perhaps @hugovk has a solution to this?

hugovk · 2023-06-09T09:16:20Z

Hmm, it's downloading from https://ghcr.io/ which is GitHub Packages, does GitHub have their own local cache and it doesn't yet have 3.0.9?

==> Fetching openssl@3.0
==> Downloading https://ghcr.io/v2/homebrew/core/openssl/3.0/manifests/3.0.8
==> Downloading https://ghcr.io/v2/homebrew/core/openssl/3.0/blobs/sha256:bf169df9308d0f428e[22](https://github.com/python/cpython/actions/runs/5219127895/jobs/9420617810?pr=105538#step:4:23)738863b85464af92f970fe823a24ae7a150d79b2bc24
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:bf169df9308d0f428e22738863b85464af92f970fe8[23](https://github.com/python/cpython/actions/runs/5219127895/jobs/9420617810?pr=105538#step:4:24)a24ae7a150d79b2bc24?se=2023-06-09T07%3A05%3A00Z&sig=hdu9U%2FPBC5P5q%2BdjeBZYmCaWFcxomsGs2KCpHVEdKGI%3D&sp=r&spr=https&sr=b&sv=2019-12-12
==> Pouring openssl@3.0--3.0.8.monterey.bottle.tar.gz

https://github.com/python/cpython/actions/runs/5219127895/jobs/9420617810?pr=105538#step:4:22

Looks like Homebrew now defaults to a local mirror:

https://docs.brew.sh/Installation#git-remote-mirroring

Perhaps unsetting HOMEBREW_BREW_GIT_REMOTE, or even setting HOMEBREW_NO_INSTALL_FROM_API=1 will help?

erlend-aasland · 2023-06-09T12:54:05Z

Thanks, @hugovk. I tried adjusting the env vars again, also this time adding a brew cleanup --prune=all openssl@3.0, then a brew fetch -f openssl@3.0 step, but no luck.

erlend-aasland · 2023-06-16T08:38:02Z

There is one other related task: ensure that the all of the Homebrew OpenSSL versions we use in the GHA Workflows have been updated to the most recent releases. Last time I looked they weren't.

IMO, we should not let that block this PR. Unless others disagree, I propose to land this PR.

bedevere-bot · 2023-06-16T19:00:50Z

GH-105867 is a backport of this pull request to the 3.12 branch.