Closed
Description
One this is done, we need to make changes pretty much throughout. On the code/patch side:
- Move platform-native crypto patches into
microsoft/main. - Rework patches to work with GOEXPERIMENT flag.
- If we aren't totally sure the GOEXPERIMENT toggle will disable our changes properly, make the FIPS patches only get applied optionally.
- If our patches stay within the bounds of the boringcrypto GOEXPERIMENT flag, this probably won't be an issue. (It's broadly important in upstream Go that if the experiment flag isn't set, nothing breaks.) But if we have to make some changes that reach outside, we may want to be more cautious.
microsoft/go builds:
- Each internal rolling build matrix most likely needs to include normal and GOEXPERIMENT builds.
- This would be in case the flag causes bad behavior for some customers who don't need FIPS, so they can easily switch to the normal build until we can figure out the issue. (Bad behavior could be due to our patches, due to upstream changes, or a combination.)
- The files need to be distinguished: at the moment, both boring and non-boring branches produce
go{buildnum}.linux-x64.tar.gz. A build number suffix seems reasonable. - More data in build asset JSON to make these artifacts distinct in a way that tooling can determine later without depending very strongly on the filename convention?
microsoft/go-infra:
- microsoft/go -> microsoft/go-images auto-update needs to handle the new artifact names, updating FIPS and non-FIPS at the same time.
- aka.ms link generation handling.
microsoft/go-images:
- No change, once upstream build URLs get merged into this repo, the go-images build doesn't really care where they came from.
This simplifies things: #501 (comment)