On Thu, 2021-07-15 at 20:24 +0800, Tianjia Zhang wrote:
>
> On 7/15/21 2:39 PM, Petr Vorel wrote:
> > Hi Mimi, Tianjia,
> >
> >> Hi Tianjia,
> >
> >> On Wed, 2021-07-14 at 21:01 +0800, Tianjia Zhang wrote:
> >
> >>> index 5b07711..a0001b0 100644
> >>> --- a/.travis.yml
> >>> +++ b/.travis.yml
> >>> @@ -93,4 +93,4 @@ before_install:
> >>> script:
> >>> - INSTALL="${DISTRO%%:*}"
> >>> - INSTALL="${INSTALL%%/*}"
> >>> - - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if
> >>> [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi
> >>> && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ !
> >>> \"$VARIANT\" ]; then which tpm_server || which swtpm ||
> >>> ./tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\"
> >>> ./build.sh"
> >>> + - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if
> >>> [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi
> >>> && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ !
> >>> \"$VARIANT\" ]; then which tpm_server || which swtpm ||
> >>> ./tests/install-swtpm.sh; fi && ./tests/install-openssl3.sh &&
> >>> CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"
> >
> >> With "install-openssl3.sh", installing openssl 3.0 is being done for
> >> every distro matrix rule. This needs to be limited to a specific
> >> instance. Petr, please correct if I'm wrong, I assume a new variable
> >> needs to be defined, similar to "TSS".
> > +1
> >
> >> A similar change would need to be made in ci.yml.
> > +1
> >
> >>> new file mode 100755
> >>> index 0000000..21adb6f
> >>> --- /dev/null
> >>> +++ b/tests/install-openssl3.sh
> >>> @@ -0,0 +1,15 @@
> >>> +#!/bin/sh
> >>> +
> >>> +set -ex
> >>> +
> >>> +# The latest version in July 2021
> >>> +wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.0-beta1.tar.gz
> >>> +tar --no-same-owner -xvzf openssl-3.0.0-beta1.tar.gz
> >
> >> Petr said, "Although it appears there is no distro which would have
> >> openssl 3.0 [1],
> >> Debian actually have 3.0.0~~beta1-1 in experimental [2]. openSUSE has slightly
> >> older version openssl-3.0.0-alpha16 [3]. I suppose we update soon to beta1 as
> >> well.
> >> Using distro packages would be probably faster to run in CI than install from git."
> >> I guess, whether the openssl 3.0 source code is from the distro or from
> >> openssl, it needs to be compiled from source.
> >
> >> Perhaps limiting compiling openssl 3.0 to those distros with the source
> >> package is simpler than defining a new travis.yml variable, as
> >> suggested above. Petr?
> > It'll be slower, but why not. It might be better not cover only Debian.
> > But IMHO there should be at least some distros tested with regular openssl 1.1.x
> > (or which particular version it have) which means some runs will be added to the
> > matrix. But there should be a balance between test coverity and time required
> > for tests to be run (we don't want to end up like u-boot [1] :)).
>
> > [1] https://github.com/u-boot/u-boot/runs/3073277277
> >
>
> evmctl itself relies on openssl version 1.1.1 or lower. I guess, openssl
> 3.0 needs to be compiled and install to a non-standard path, such as
> /opt/openssl, otherwise it will affect the subsequent compilation of
> evmctl in build.sh.
Compiling evmctl with the new version of openssl will eventually need
to be done. but that isn't required for your patch.
> Of course, compile openssl 3.0 from source code.
> must to limit the number of instances to avoid excessively increasing
> the time-consuming in CI. Is that right?
It's more than just "time consuming". There needs to be a balance
between testing with the distro openssl version and testing with the
new openssl version, without going overboard with the number of tests.
thanks,
Mimi
