Fix failure detection and failures in basic-build-test.sh with SSL3 in full #3180
Conversation
Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
We used to enable MBEDTLS_ENTROPY_FORCE_SHA256 in the full config, but this is no longer the case. So the seedfile now needs to be 64 bytes, nor 32 bytes. Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added
mbed TLS team
needs-backports
|
CI run of |
This reverts commit 2b9ebce. config.py full includes everything that can be tested together, even deprecated algorithms and protocols. Signed-off-by: Gilles Peskine <[email protected]>
This reverts commit 03035eb. Since SSL3 is back in the full config, test it again. Signed-off-by: Gilles Peskine <[email protected]>
The full config includes everything that can be tested together, even deprecated features (except deprecated features that lack proper testing or require additional build dependencies). Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
force-pushed
the
basic-build-test-status
branch
from
d5f8b5c to
aab670d
Compare
gilles-peskine-arm
added
the
needs-review
|
New CI run of Run with only the changes in |
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
changed the title
gilles-peskine-arm
changed the title
| @@ -898,9 +898,12 @@ component_test_full_cmake_clang () { | |||
| } | |||
There was a problem hiding this comment.
The commit message is confusing to me: turning off deprecated features in something that builds deprecated stuff?
There was a problem hiding this comment.
Sorry, which commit?
There was a problem hiding this comment.
The commit message of this commit "Turn off deprecated features in component_build_deprecated."
There was a problem hiding this comment.
Ah, I guess it's the name of the component that's confusing. What it actually does is to check that if you build the library without deprecated features, and you arrange disable deprecated features (in either of two ways: compiler warning + -Werror, or compiling them out altogether), the build still works. I guess it should be called component_build_without_deprecated.
There was a problem hiding this comment.
Yes I agree that component_build_without_deprecated would be a better name in that case. Probably not for this PR to change that name though but if you include some of your above explanation in the commit message it would be all clear.
There was a problem hiding this comment.
So, as commented out of github, for now I really prefer #3181 (ie the other PR, not this one). In the longer term, I don't have any objections to switching to the approach in this PR, but I think it needs more comments in some places.
| @@ -166,6 +166,7 @@ def include_in_full(name): | |||
| if name in [ | |||
| 'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', | |||
| 'MBEDTLS_DEPRECATED_REMOVED', | |||
| 'MBEDTLS_DEPRECATED_WARNING', | |||
There was a problem hiding this comment.
I think something similar to the commit message should be added as a comment above this list, to avoid any ambiguity in the future.
There was a problem hiding this comment.
We have a backlog of writing comments to explain this list. A long time ago I wrote some for config.pl but that never got merged.
There was a problem hiding this comment.
Well I think it adjusting the definition of full is the best time to finally add those comments. Otherwise this PR will only fix one half of the problem (the definition was suboptimal) but not the other half (different team members at different times had different enough conceptions of what "full" meant that we broke things), which is IMO at least as important.
| @@ -898,9 +898,12 @@ component_test_full_cmake_clang () { | |||
| } | |||
|
|
|||
| component_build_deprecated () { | |||
| msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s | |||
| msg "build: make, full config - deprecated + DEPRECATED_WARNING, gcc -O" # ~ 30s | |||
There was a problem hiding this comment.
Partially pre-existing: I don't understand the purpose of this component. Probably deserves a comment in the code.
There was a problem hiding this comment.
In the meantime I saw your reply to Ronald. I think something similar should be added as comments in the code.
The comments could also perhaps mention one point that wasn't immediately clear to me: we need to disable deprecated config.h options when building with DEPRECATED_WARNINGS because they use #warning which isn't affected by -Wno-deprecated (unlike deprecated functions which use the deprecated attribute).
There was a problem hiding this comment.
AFAIR that code has existed since before the componentization of all.sh. The pure-full jobs might not have!
| } | tee tests/cov-$TEST_OUTPUT | ||
|
|
||
| if [ "$(tail -n1 tests/cov-$TEST_OUTPUT)" != "SUCCESS" ]; then | ||
| echo >&2 "Fatal: 'make lcov' failed" |
There was a problem hiding this comment.
As @mpg noted in the alternative PR there's an exit missing here.
|
Closed in favor of #3180. Some of the changes to |
Needs partial backports. This PR is release-critical, but the backports aren't (we can check the logs manually to verify that there are no failures).
Alternative that doesn't change the full config: #3181