Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include the patched version of aws-nitro-enclaves-cose in the repo and packit enhancements #704

Open
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

mmartinv
Copy link
Contributor

@mmartinv mmartinv commented Nov 27, 2024

The purpose of this patch is to incorporate the external an patched version of aws-nitro-enclaves-cose into the project's source code to avoid all the hacks of patching and unpatching the spec files, the Cargo.toml and the vendored sources back an forth when packaging as it has been shown to be fragile and is causing (and will cause) problems with dependantbot.

This patch also tries to centralize all the build logic in one file (the Makefile) and simplify the packit configuration.

The summary of changes woud be:

  • chore: add aws-nitro-enclaves-cose 0.4.0 crate to the repo
  • chore: fix aws-nitro-enclaves-cose errors
  • chore: spec changes
  • chore: use the new local copy of aws-nitro-enclaves-cose
  • chore: add new Makefile targets
  • chore: use the new Makefile targets in packit
  • chore: remove unused patches and scripts
  • chore: skip external crates from analisys
  • chore: bump libcryptsetup-rs
  • chore: ignore source code and vendor tarballs.
  • chore: avoid clippy errors

@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch from 60880b7 to 20de0d6 Compare November 28, 2024 07:41
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

devskim found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch 4 times, most recently from 2901f7e to ec9f9bb Compare November 28, 2024 08:43
@runcom
Copy link
Contributor

runcom commented Nov 28, 2024

niiiice 😃 let's make this work!

@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch from ec9f9bb to 3948303 Compare November 28, 2024 15:09
@mmartinv mmartinv changed the title packit fixes and enhancements Include the patched version of aws-nitro-eclaves-cose in the repo and packit enhancements Nov 28, 2024
@mmartinv mmartinv changed the title Include the patched version of aws-nitro-eclaves-cose in the repo and packit enhancements Include the patched version of aws-nitro-enclaves-cose in the repo and packit enhancements Nov 28, 2024
@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch 3 times, most recently from dd70bf7 to e922191 Compare November 29, 2024 09:29
@fdo-rs fdo-rs deleted a comment from packit-as-a-service bot Nov 29, 2024
@fdo-rs fdo-rs deleted a comment from packit-as-a-service bot Nov 29, 2024
@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch 7 times, most recently from 938021b to 6091fc2 Compare November 29, 2024 12:03
@fdo-rs fdo-rs deleted a comment from packit-as-a-service bot Nov 29, 2024
@fdo-rs fdo-rs deleted a comment from packit-as-a-service bot Nov 29, 2024
@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch 3 times, most recently from 5b885af to 3175e22 Compare November 29, 2024 12:31
@fdo-rs fdo-rs deleted a comment from packit-as-a-service bot Nov 29, 2024
@fdo-rs fdo-rs deleted a comment from packit-as-a-service bot Nov 29, 2024
@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch 3 times, most recently from 12b1fb2 to 803b878 Compare November 29, 2024 15:54
fido-device-onboard.spec Outdated Show resolved Hide resolved
@@ -23,9 +25,45 @@ help:
@echo "The following targets are available:"
@echo
@echo " help: Print this usage information."
@echo " source: Generate source tar file in the current directory."
@echo " vendor: Generate vendor tar file in the current directory."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we can update the SOP document to use these commands too - like git checkout v0.5.2 and then make source && make vendor and then git checkout c10s && centpkg updload file.tar.gz etc etc (maybe for another PR of course)

Copy link
Contributor Author

@mmartinv mmartinv Dec 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't the propose-downstream also work for centos? (except for the corresponding Jira ticket creation)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, but you still have to upload the sources (this is how I read the page on the packit guide as it's not yet implemented to upload sources to the lookaside cache) - also, building isn't taken care of as far as I can tell

maybe I'm wrong :)

Copy link
Contributor Author

@mmartinv mmartinv Dec 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think you are right, It looks like the automation will not do it for us but there's the option of using the cli according to the warning note.

Mabye something like (after filing the corresponding Jira ticket: RHEL-XXXXX):

git checkout v0.5.2
packit propose-downstream --pr \
                          --dist-git-branch c10s \
                          --resolve-bug RHEL-XXXXX
                          --package fido-device-onboard-centos

@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch 3 times, most recently from 84690cf to 11e8927 Compare December 2, 2024 16:00
@mmartinv mmartinv requested a review from runcom December 2, 2024 16:35
Add a copy of the original `aws-nitro-enclaves-cose` crate to the
repository. The copied version is the one required by FDO to operate
until we migrate to `coset` or any other crate that provides COSE
implementation.

Signed-off-by: Miguel Martín <[email protected]>
Prevent `direct implementation of ToString` clippy
errors and backport [1]

[1]awslabs/aws-nitro-enclaves-cose#66

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch from 11e8927 to e1341dc Compare January 10, 2025 15:25
@nullr0ute
Copy link
Contributor

This shouldn't really be one massive PR, there's a whole raft of different changes in here, I'm also not particularly happy about pulling an unrelated code base into here due to maintenance and CVEs. I feel it would likely be less work to just move to the latest version of the COSE crate so we don't have to do this malarkey and we'd not have the problem again moving forward.

@mmartinv
Copy link
Contributor Author

This shouldn't really be one massive PR, there's a whole raft of different changes in here,

I can separate the crate changes from the packit changes if you want but that would mean to move one or two commits only.

I'm also not particularly happy about pulling an unrelated code base into here due to maintenance and CVEs.

Only the RHEL builds will be using the included code base, the Fedora builds are supposed to keep using the upstream patched crate which is rpm packaged in Fedora, so the only difference is that you will be adding the patch in this repo instead of adding the patch in the repo you have in your personal fork for the RHEL builds.

I feel it would likely be less work to just move to the latest version of the COSE crate so we don't have to do this malarkey and we'd not have the problem again moving forward.

It's not, I tried to update and we need changes in the code to implement additional traits for some particular types. Moreover, there are some crate additions in the the updated version so we would need to add some new RPMs to Fedora if we upgrade, not checked the full list of dependencies though. Taking into account that we agreed to migrate to coset crate I don't think the effort to update worth it.

Remove the uneeded patches from spec file and
assume fedora by default

Signed-off-by: Miguel Martín <[email protected]>
Add additional Makefile targets:
- source: to generate source tar file
- vendor: to generate vendor tar file
- packit-create-archive: to generate the source
code and vendor  tarballs in packit.
@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch from e1341dc to 062f38a Compare January 20, 2025 08:12
@mmartinv mmartinv added the jira label Jan 20, 2025
@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch from 062f38a to 854672e Compare January 21, 2025 12:42
Use the new Makefile target in packit actions.

Signed-off-by: Miguel Martín <[email protected]>
Skip external crates from spellcheck and DevSkim analisys

Signed-off-by: Miguel Martín <[email protected]>
Add the generated source and vendor tar files to .gitignore

Signed-off-by: Miguel Martín <[email protected]>
- Elide explicit lifetimes pointed out by clippy.
- Allow `clippy::elided-named-lifetimes` lint warning until a final fix.
- Allow `clippy::zombie_processes` until a final fix.
- Bump `num-derive` to 0.4 in data-formats.

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv mmartinv force-pushed the packit-fixes-and-enhancements branch from 854672e to b1a55bd Compare January 21, 2025 15:14
@mmartinv mmartinv added dependencies Pull requests that update a dependency file distro Distro related things such as packaging and removed jira labels Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file distro Distro related things such as packaging
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants