gh-135401: Test AWS-LC as a cryptography library in CI #135402
Conversation
This reverts commit 7d37e6a.
Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
Outdated
Show resolved
Hide resolved
.github/workflows/build.yml
Outdated
| with: | ||
| path: ./multissl/aws-lc/${{ matrix.awslc_ver }} | ||
| key: ${{ matrix.os }}-multissl-aws-lc-${{ matrix.awslc_ver }} | ||
| # TODO [childw] can we use env.* instead of env vars here? |
There was a problem hiding this comment.
I'd suggest for the initial version, keep as similar to the OpenSSL job/workflow, and then perhaps update both at once afterwards?
There was a problem hiding this comment.
Fair enough. I'll remove the TODOs. Perhaps we can leave this comment unresolved as a reminder for me to clean up both (if tenable) if/after this PR has been merged.
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
…XmL.rst Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
|
Can you cherry-pick 8f4a0eb and make a separate PR please? TiA. |
Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
Outdated
Show resolved
Hide resolved
| if not args.openssl and not args.libressl and not args.awslc: | ||
| args.openssl = list(OPENSSL_RECENT_VERSIONS) | ||
| args.libressl = list(LIBRESSL_RECENT_VERSIONS) | ||
| args.awslc = list(AWSLC_RECENT_VERSIONS) |
There was a problem hiding this comment.
I don't like the rigidity of this as it scales poorly when we introduce more implementations (I don't see BoringSSL for instance). But let's keep this as is and I'll refactor this script in a separate PR.
Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
Outdated
Show resolved
Hide resolved
Misc/NEWS.d/next/Tests/2025-06-11-16-52-49.gh-issue-135401.ccMXmL.rst
Outdated
Show resolved
Hide resolved
…XmL.rst Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
There was a problem hiding this comment.
There's a lot of duplication between the build-ubuntu-ssltests-openssl and build-ubuntu-ssltests-awslc jobs, can we use a matrix to combine them?
Something like hugovk@a3f2ba9 -> https://github.com/hugovk/cpython/actions/runs/16121165851
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
I think that makes a lot of sense. @AA-Turner previously suggested that I leave use OpenSSL's established CI definition patterns for this PR, then follow up with another PR to refactor CI definitions. @hugovk @AA-Turner -- Would you prefer that I incorporate the CI refactor into this PR or a fast-follow-up PR? |
|
I think it's better to make it in a separate one. It'll be easier to revert if bad things happen. |
Tools/ssl/multissltests.py
Outdated
| color=True, | ||
| suggest_on_error=True, |
There was a problem hiding this comment.
These seem to be causing us some issues:
| color=True, | |
| suggest_on_error=True, | |
| **( | |
| dict( | |
| color=True, | |
| suggest_on_error=True, | |
| ) if sys.version_info >= (3, 14) else {} | |
| ) |
Or, to simplify:
| color=True, | |
| suggest_on_error=True, |
Considering the comment on line 21, the latter is probably the better option.
There was a problem hiding this comment.
Ah right, revert is the way to go, thanks.
It's because this script is run before we've built our own Python and we're using image-default one, likely version 3.13.
https://github.com/python/cpython/actions/runs/16229017511/job/45827626323?pr=135402#step:9:1
We can instead do like parser.color = True, but it can be for the refactor.
Tools/ssl/multissltests.py
Outdated
| "-DFIPS=OFF", | ||
| ] | ||
| self._subprocess_call(cmd, cwd=cwd, env=env) | ||
| self._subprocess_call(["make", f"-j{self.jobs}"], cwd=cwd, env=env) |
There was a problem hiding this comment.
| self._subprocess_call(["make", f"-j{self.jobs}"], cwd=cwd, env=env) | |
| self._subprocess_call(["make", "-j{}".format(self.jobs)], cwd=cwd, env=env) |
Alternatively, it's probably time that we could remove 2.7 from the list of versions we should stay compatible with.
There was a problem hiding this comment.
Alternatively, it's probably time that we could remove 2.7 from the list of versions we should stay compatible with.
That's certainly a call for the maintainers, but I'm happy to help implement your decision. No concerns from AWS-LC's perspective as the earliest version we test against is 3.9.
There was a problem hiding this comment.
@zware -- the 2.7 compat issues didn't show up in this PR's CI. is there some other slack/zulip/etc. channel where i can monitor secondary CI builds to get ahead of these issues during review?
There was a problem hiding this comment.
I personally have been ready to drop 2.7 compatibility everywhere for over a decade now :). I have no evidence that anyone is still actually using 2.7 with this script; that note is 8 years old, from back when we were still maintaining each of the mentioned versions.
Co-authored-by: Zachary Ware <zachary.ware@gmail.com>
Co-authored-by: Zachary Ware <zachary.ware@gmail.com>
Co-authored-by: Zachary Ware <zachary.ware@gmail.com>
|
I think we've quibbled enough on this; I'm merging it :). I'm re-running the new job one last time just to be sure, but setting automerge anyway. Since it's non-blocking anyway, we can fix up anything else in followups. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@WillChilds-Klein Thank you very much for this! |
…H-135402) Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Zachary Ware <zach@python.org>
Notes
This PR extends
multissltests.py'sAbstractBuilderclass to fetch AWS-LC v1.55.0 and build it using CMake and GNU make. To do this, we addcmakeas a GitHub Runner dependency in.github/workflows/posix-deps-apt.sh. We also update CPython'sconfigureandconfigure.acscripts to swap out BLAKE2 (not tracked for standardization) in favor of SHA-512 when detectinglibcryptocompilation compatibility forhashlib.Finally, a new CI workflow uses this update to dynamically link AWS-LC against CPython, perform a linkage check, and run CPython's
ssltests.pyin CPython's public CI. This differs from AWS-LC's own CPython integration test where we statically link the CPython executable to AWS-LC.The new CI check is not marked as "required", but if the community wants to make it "required" for future PRs that can be done by adding a list item for
build-ubuntu-ssltests-awslchere.Please feel free to file an issue with the AWS-LC team here for assistance in troubleshooting any CI failures of the new check.
Testing