Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-119400: make_ssl_certs: update reference test data automatically, pass in expiration dates as parameters #119400 #119401

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

gh-119400: make_ssl_certs: update reference test data automatically, pass in expiration dates as parameters #119400 #119401

wants to merge 4 commits into from
1,076 −1,080

Conversation

kanavin
Copy link
Contributor

@kanavin kanavin commented May 22, 2024
edited
Loading

As discussed here:
#107863

make_ssl_certs.py has a few shortcomings. In particular:

  • it generates certificates, but does not update reference data in tests that use them, instead asking the user to copy paste the data by hand (expiration dates and serial numbers in particular)
  • it is supposed to be run by hand and isn't executed in builds, which means its output has to be checked into git, cluttering the source tree, and complicating reviews of pull requests that change that output.
  • expiration dates are hardcoded into the tool and can't be passed in as parameters

This pull request aims to address first and last issue, so then #107863 can move forward on top of them.

@bedevere-app bedevere-app bot mentioned this pull request May 22, 2024
Open
@kanavin
Copy link
Contributor Author

kanavin commented May 22, 2024 

OSError: [Errno 30] Read-only file system: '/home/runner/work/cpython/cpython-ro-srcdir/Lib/test/certdata'

This means CI is set up so that modifying the source tree is not possible. Suggestions? I still think it's worth making make_ssl_certs execution a part of the build, but the complication is that its output needs to be written into build dir, and both installation and tests needs to find it there.

@kanavin kanavin mentioned this pull request May 22, 2024
Open
@kanavin
Copy link
Contributor Author

kanavin commented May 23, 2024 

OSError: [Errno 30] Read-only file system: '/home/runner/work/cpython/cpython-ro-srcdir/Lib/test/certdata'

This means CI is set up so that modifying the source tree is not possible. Suggestions? I still think it's worth making make_ssl_certs execution a part of the build, but the complication is that its output needs to be written into build dir, and both installation and tests needs to find it there.

I've concluded that this is not feasible for now:

  • needs invasive changes to Makefile
  • requires openssl executable at build time
  • breaks build reproducibility as every build is going to have different certificates installed, even if they're only used for testing.

I'll drop that from this PR, and make it only about not hardcoding reference certificate data and expiration parameters.

@kanavin kanavin changed the title gh-119400: make_ssl_certs: run at build time, update reference test data automatically #119400 gh-119400: make_ssl_certs: update reference test data automatically, pass in expiration dates as parameters #119400 May 23, 2024
blurb-it bot and others added 4 commits May 23, 2024 11:59
@blurb-it @kanavin
📜🤖 Added by blurb_it.
9685dc2
@kanavin
Lib/test/certdata: do not hardcode reference cert data into tests
6c899df 
The script was simply printing the reference data and asking
users to update it by hand into the test suites. This can
be easily improved by writing the data into files and
having the test cases load the files.

Signed-off-by: Alexander Kanavin <[email protected]>
@kanavin
make_ssl_certs: make it possible to pass in expiration dates from com…
0fcc8a2 
…mand line

Note that the defaults are same as they were, so if nothing is
specified, the script works exactly as before.

Signed-off-by: Alexander Kanavin <[email protected]>
@kanavin
certdata: introduce reference data files and regenerate the certs wit…
be2c50f 
…h make_ssl_certs

Signed-off-by: Alexander Kanavin <[email protected]>
@kumaraditya303 kumaraditya303 removed their request for review June 23, 2024 07:54
@kanavin
Copy link
Contributor Author

kanavin commented Sep 6, 2024

This seems to be not getting any attention, is there something I can do to push it forward?

@gvanrossum gvanrossum requested review from encukou and sethmlarson and removed request for 1st1, asvetlov and gvanrossum September 6, 2024 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willingc willingc Awaiting requested review from willingc willingc is a code owner

@encukou encukou Awaiting requested review from encukou

@sethmlarson sethmlarson Awaiting requested review from sethmlarson

Assignees
No one assigned
Labels
awaiting review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kanavin