Skip to content

Cleanup update logic for embedded openssl git tree. #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We���ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rbsec merged 2 commits into from
Jan 18, 2025
Merged

Cleanup update logic for embedded openssl git tree. #324

rbsec merged 2 commits into from
Jan 18, 2025

Conversation

@tetlowgm
Copy link
Contributor

@tetlowgm tetlowgm commented Dec 7, 2024

The pipeline to update the embedded openssl tree has a logic error and cannot checkout a tag that isn't in the local repository. This errors out causing the embedded tree to never be updated.

To reproduce checkout an older tree (3.0.14) and see how it doesn't properly update:

$ rm -rf openssl
$ git clone --depth 1 -b openssl-3.0.14 https://github.com/openssl/openssl ./openssl
<cloning messages here>
$ make opensslpull
...
error: pathspec 'openssl-3.0.15' did not match any file(s) known to git

This change properly fetches the new tag and will then properly check it out. With the updated Makefile:

$ rm -rf openssl
$ git clone --depth 1 -b openssl-3.0.14 https://github.com/openssl/openssl ./openssl
<cloning messages here>
$ make opensslpull
<happy fetching messages>
From https://github.com/openssl/openssl
 * [new tag]           openssl-3.0.15 -> openssl-3.0.15
Previous HEAD position was 9cff14fd Prepare for release of 3.0.14
HEAD is now at c523121f Prepare for release of 3.0.15

I'm maintaining the shallow clone behavior and doing the fetch with --depth 1 which makes it about as minimal as possible. Updating from 3.0.14 to 3.0.15 transferred 64KiB on the wire, according to git.
@tetlowgm
Cleanup update logic for embedded openssl git tree.
ef96008 
Due to the shallow clone, the existing openssl tree never updates as the
tag we are attempting to move to does not exist in our tree causing the
"git checkout" command to fail the pipeline.

Instead, if the latest blessed version of the upstream (as defined by the
regex we used to decide which openssl version we support) is different than
our local tree, use "git fetch" to grab the new tag and then use "git
checkout" to move our local tree to it.

Tested on:	Way too many trees of openssl in different states
@tetlowgm
Fix small whitespace nit and supress the empty target echo.
bcf271c
@rbsec
Copy link
Owner

rbsec commented Jan 18, 2025

Good catch - thanks!
@rbsec rbsec merged commit 7c3a9db into rbsec:master Jan 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@tetlowgm @rbsec