[RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL

[RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL

[Yao, Jiewen]

[-- Attachment #1: Type: text/plain, Size: 922 bytes --]

Hi
This is follow up for the "Openssl1.1 replacement proposal" https://edk2.groups.io/g/devel/topic/96741156.
openssl 3.0 POC result is shown at https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md
The size increase is reduced to ~10%.

In order to achieve maximum size optimization for openssl 3.0, we updated openssl 3.0 branch and recorded to https://github.com/liyi77/openssl/tree/openssl-3.0-POC.
To help the community review and feedback the openssl 3.0 change and plan to openssl upstream in the future, we should avoid personal branch usage.

The proposal is to:

  1.  Create *an edk2 fork of openssl* under https://github.com/tianocore
  2.  Create *an edk2 branch* to hold all update for support https://github.com/tianocore/edk2-staging/tree/OpenSSL11_EOL
  3.  Add git submodule of the edk2 fork of openssl to the OpenSSL11_EOL.

Thank you
Yao, Jiewen


[-- Attachment #2: Type: text/html, Size: 5545 bytes --]

Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL

[Gerd Hoffmann]

On Wed, Apr 05, 2023 at 01:37:23AM +0000, Yao, Jiewen wrote:
> Hi
> This is follow up for the "Openssl1.1 replacement proposal" https://edk2.groups.io/g/devel/topic/96741156.
> openssl 3.0 POC result is shown at https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md
> The size increase is reduced to ~10%.
> 
> In order to achieve maximum size optimization for openssl 3.0, we updated openssl 3.0 branch and recorded to https://github.com/liyi77/openssl/tree/openssl-3.0-POC.
> To help the community review and feedback the openssl 3.0 change and plan to openssl upstream in the future, we should avoid personal branch usage.

I fail to see the point.  To get the openssl changes merged upstream
you needed engage with the openssl community, and I don't see how a
tianocore openssl repository helps with that.

Now that the changes needed have been identified I'd strongly suggest
to focus on getting the changes merged to upstream openssl instead of
storing them in a tianocore fork.

take care,
  Gerd

Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL

[Leif Lindholm]

On Wed, Apr 05, 2023 at 13:39:21 +0200, Gerd Hoffmann wrote:
> On Wed, Apr 05, 2023 at 01:37:23AM +0000, Yao, Jiewen wrote:
> > Hi
> > This is follow up for the "Openssl1.1 replacement proposal" https://edk2.groups.io/g/devel/topic/96741156.
> > openssl 3.0 POC result is shown at https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md
> > The size increase is reduced to ~10%.
> > 
> > In order to achieve maximum size optimization for openssl 3.0, we
> > updated openssl 3.0 branch and recorded to
> > https://github.com/liyi77/openssl/tree/openssl-3.0-POC.
> > To help the community review and feedback the openssl 3.0 change
> > and plan to openssl upstream in the future, we should avoid
> > personal branch usage.
> 
> I fail to see the point.  To get the openssl changes merged upstream
> you needed engage with the openssl community, and I don't see how a
> tianocore openssl repository helps with that.

Here is my understanding:
- There is a concern that this change may break existing use-cases,
  and the proposal is to collate current state of work - undergoing
  upstreaming to openssl - so that the tianocore community (and
  downstream consumers) can start testing it with minimal amount of
  faff.
- There is *no* plan for the edk2 repository to switch to using this
  submodule.

If that understanding is correct, as long as the README.md is updated
to clearly state that this repository is for integration and
verification purposes only - at the very top - I think this is a good
thing.

/
    Leif

Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL

[Yao, Jiewen]

Thanks Leif. Your understanding is right.
The openssl fork will be used by edk2-staging repo only.
The openssl fork will NOT be by edk2 repo.


Creating project specific fork is not unique.
For example, we already have other fork in tianocore - https://github.com/tianocore/rust
For example, we already have fork for openssl - https://github.com/open-quantum-safe/openssl

The idea here is similar.

Thank you
Yao, Jiewen


> -----Original Message-----
> From: Leif Lindholm <quic_llindhol@quicinc.com>
> Sent: Thursday, April 6, 2023 2:32 AM
> To: devel@edk2.groups.io; kraxel@redhat.com
> Cc: Yao, Jiewen <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to
> Tianocore to support OpenSSL11_EOL
> 
> On Wed, Apr 05, 2023 at 13:39:21 +0200, Gerd Hoffmann wrote:
> > On Wed, Apr 05, 2023 at 01:37:23AM +0000, Yao, Jiewen wrote:
> > > Hi
> > > This is follow up for the "Openssl1.1 replacement proposal"
> https://edk2.groups.io/g/devel/topic/96741156.
> > > openssl 3.0 POC result is shown at https://github.com/tianocore/edk2-
> staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md
> > > The size increase is reduced to ~10%.
> > >
> > > In order to achieve maximum size optimization for openssl 3.0, we
> > > updated openssl 3.0 branch and recorded to
> > > https://github.com/liyi77/openssl/tree/openssl-3.0-POC.
> > > To help the community review and feedback the openssl 3.0 change
> > > and plan to openssl upstream in the future, we should avoid
> > > personal branch usage.
> >
> > I fail to see the point.  To get the openssl changes merged upstream
> > you needed engage with the openssl community, and I don't see how a
> > tianocore openssl repository helps with that.
> 
> Here is my understanding:
> - There is a concern that this change may break existing use-cases,
>   and the proposal is to collate current state of work - undergoing
>   upstreaming to openssl - so that the tianocore community (and
>   downstream consumers) can start testing it with minimal amount of
>   faff.
> - There is *no* plan for the edk2 repository to switch to using this
>   submodule.
> 
> If that understanding is correct, as long as the README.md is updated
> to clearly state that this repository is for integration and
> verification purposes only - at the very top - I think this is a good
> thing.
> 
> /
>     Leif

Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL

[Gerd Hoffmann]

On Thu, Apr 06, 2023 at 03:00:38AM +0000, Yao, Jiewen wrote:
> Thanks Leif. Your understanding is right.
> The openssl fork will be used by edk2-staging repo only.
> The openssl fork will NOT be by edk2 repo.

Ok, fine with me then.

take care,
  Gerd

Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL

[Michael D Kinney]

Fork created

    https://github.com/tianocore/openssl

I have given EDK II Maintainers write access.

Let me know if there is any additional configuration required.

Thanks,

Mike

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Wednesday, April 5, 2023 8:01 PM
> To: Leif Lindholm <quic_llindhol@quicinc.com>; devel@edk2.groups.io; kraxel@redhat.com
> Cc: Yao, Jiewen <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL
> 
> Thanks Leif. Your understanding is right.
> The openssl fork will be used by edk2-staging repo only.
> The openssl fork will NOT be by edk2 repo.
> 
> 
> Creating project specific fork is not unique.
> For example, we already have other fork in tianocore - https://github.com/tianocore/rust
> For example, we already have fork for openssl - https://github.com/open-quantum-safe/openssl
> 
> The idea here is similar.
> 
> Thank you
> Yao, Jiewen
> 
> 
> > -----Original Message-----
> > From: Leif Lindholm <quic_llindhol@quicinc.com>
> > Sent: Thursday, April 6, 2023 2:32 AM
> > To: devel@edk2.groups.io; kraxel@redhat.com
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>
> > Subject: Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to
> > Tianocore to support OpenSSL11_EOL
> >
> > On Wed, Apr 05, 2023 at 13:39:21 +0200, Gerd Hoffmann wrote:
> > > On Wed, Apr 05, 2023 at 01:37:23AM +0000, Yao, Jiewen wrote:
> > > > Hi
> > > > This is follow up for the "Openssl1.1 replacement proposal"
> > https://edk2.groups.io/g/devel/topic/96741156.
> > > > openssl 3.0 POC result is shown at https://github.com/tianocore/edk2-
> > staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md
> > > > The size increase is reduced to ~10%.
> > > >
> > > > In order to achieve maximum size optimization for openssl 3.0, we
> > > > updated openssl 3.0 branch and recorded to
> > > > https://github.com/liyi77/openssl/tree/openssl-3.0-POC.
> > > > To help the community review and feedback the openssl 3.0 change
> > > > and plan to openssl upstream in the future, we should avoid
> > > > personal branch usage.
> > >
> > > I fail to see the point.  To get the openssl changes merged upstream
> > > you needed engage with the openssl community, and I don't see how a
> > > tianocore openssl repository helps with that.
> >
> > Here is my understanding:
> > - There is a concern that this change may break existing use-cases,
> >   and the proposal is to collate current state of work - undergoing
> >   upstreaming to openssl - so that the tianocore community (and
> >   downstream consumers) can start testing it with minimal amount of
> >   faff.
> > - There is *no* plan for the edk2 repository to switch to using this
> >   submodule.
> >
> > If that understanding is correct, as long as the README.md is updated
> > to clearly state that this repository is for integration and
> > verification purposes only - at the very top - I think this is a good
> > thing.
> >
> > /
> >     Leif
> 
> 
> 
> 

Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to Tianocore to support OpenSSL11_EOL

[Yao, Jiewen]

Thank you Mike. Appreciate that.

Hi Yi
I have created branch https://github.com/tianocore/openssl/tree/edk2-staging-openssl-3.0.8, from original openssl-3.0.8 tag. It matches what we have according to https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md.

(I add "edk2-staging-" as prefix to indicate that this branch is for edk2-staging. Just avoid confusing.)

I recommend doing followings:
1) Please submit all openssl 3.0 patches from https://github.com/liyi77/openssl/tree/openssl-3.0-POC to https://github.com/tianocore/openssl/tree/edk2-staging-openssl-3.0.8. As such, other people can review, comment or contribute the openssl work for edk2-staging in tianocore.

2) Once above is merged, please update https://github.com/tianocore/edk2-staging/blob/OpenSSL11_EOL to submodule the https://github.com/tianocore/openssl.

3) In the future, if we need upgrade to a new openssl tag, please let me know. I will create new branch, such as edk2-staging-openssl-3.0.9, or edk2-staging-openssl-3.1.0, etc. for our work.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com>
> Sent: Saturday, April 8, 2023 10:30 AM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Leif
> Lindholm <quic_llindhol@quicinc.com>; kraxel@redhat.com
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: RE: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo to
> Tianocore to support OpenSSL11_EOL
> 
> Fork created
> 
>     https://github.com/tianocore/openssl
> 
> I have given EDK II Maintainers write access.
> 
> Let me know if there is any additional configuration required.
> 
> Thanks,
> 
> Mike
> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao,
> Jiewen
> > Sent: Wednesday, April 5, 2023 8:01 PM
> > To: Leif Lindholm <quic_llindhol@quicinc.com>; devel@edk2.groups.io;
> kraxel@redhat.com
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>
> > Subject: Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo
> to Tianocore to support OpenSSL11_EOL
> >
> > Thanks Leif. Your understanding is right.
> > The openssl fork will be used by edk2-staging repo only.
> > The openssl fork will NOT be by edk2 repo.
> >
> >
> > Creating project specific fork is not unique.
> > For example, we already have other fork in tianocore -
> https://github.com/tianocore/rust
> > For example, we already have fork for openssl - https://github.com/open-
> quantum-safe/openssl
> >
> > The idea here is similar.
> >
> > Thank you
> > Yao, Jiewen
> >
> >
> > > -----Original Message-----
> > > From: Leif Lindholm <quic_llindhol@quicinc.com>
> > > Sent: Thursday, April 6, 2023 2:32 AM
> > > To: devel@edk2.groups.io; kraxel@redhat.com
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>
> > > Subject: Re: [edk2-devel] [RFC] [edk2-openssl fork] Add openssl fork repo
> to
> > > Tianocore to support OpenSSL11_EOL
> > >
> > > On Wed, Apr 05, 2023 at 13:39:21 +0200, Gerd Hoffmann wrote:
> > > > On Wed, Apr 05, 2023 at 01:37:23AM +0000, Yao, Jiewen wrote:
> > > > > Hi
> > > > > This is follow up for the "Openssl1.1 replacement proposal"
> > > https://edk2.groups.io/g/devel/topic/96741156.
> > > > > openssl 3.0 POC result is shown at
> https://github.com/tianocore/edk2-
> > > staging/blob/OpenSSL11_EOL/CryptoPkg/Readme-OpenSSL3.0.md
> > > > > The size increase is reduced to ~10%.
> > > > >
> > > > > In order to achieve maximum size optimization for openssl 3.0, we
> > > > > updated openssl 3.0 branch and recorded to
> > > > > https://github.com/liyi77/openssl/tree/openssl-3.0-POC.
> > > > > To help the community review and feedback the openssl 3.0 change
> > > > > and plan to openssl upstream in the future, we should avoid
> > > > > personal branch usage.
> > > >
> > > > I fail to see the point.  To get the openssl changes merged upstream
> > > > you needed engage with the openssl community, and I don't see how a
> > > > tianocore openssl repository helps with that.
> > >
> > > Here is my understanding:
> > > - There is a concern that this change may break existing use-cases,
> > >   and the proposal is to collate current state of work - undergoing
> > >   upstreaming to openssl - so that the tianocore community (and
> > >   downstream consumers) can start testing it with minimal amount of
> > >   faff.
> > > - There is *no* plan for the edk2 repository to switch to using this
> > >   submodule.
> > >
> > > If that understanding is correct, as long as the README.md is updated
> > > to clearly state that this repository is for integration and
> > > verification purposes only - at the very top - I think this is a good
> > > thing.
> > >
> > > /
> > >     Leif
> >
> >
> > 
> >