openssl: delete cgo-less experiment and promote to default#2106
openssl: delete cgo-less experiment and promote to default#2106gdams wants to merge 3 commits intomicrosoft/mainfrom
Conversation
gdams
force-pushed
the
dev/gadams/cgoless
branch
from
1afd358 to
0663034
Compare
gdams
force-pushed
the
dev/gadams/cgoless
branch
from
0663034 to
4207a50
Compare
Patch Consistency Review - Issues FoundI've reviewed PR #2106 for patch consistency and found 3 consistency issues that need to be addressed: Summary of ChangesThe PR is removing the Issues Found
ImpactThese inconsistencies could lead to:
RecommendationPlease update:
I've added specific inline comments on each location that needs attention. The core patch changes (0002 and 0003) look good and are internally consistent with each other.
|
This is part of the go-infra package so we can't remove this here. I also don't think it makes sense to remove it from go-infra for now as we need it for Go 1.26.
I've tried to get the balance right in the migration guide, considering that most users will be running Go 1.26 so mentioning the experiment still makes sense. |
| +// license that can be found in the LICENSE file. | ||
| + | ||
| +//go:build goexperiment.opensslcrypto && !(cgo || (goexperiment.ms_nocgo_opensslcrypto && (386 || amd64 || arm || arm64 || ppc64le || riscv64))) | ||
| +//go:build goexperiment.opensslcrypto && !(cgo || 386 || amd64 || arm || arm64 || ppc64le || riscv64) |
There was a problem hiding this comment.
It's not clear to me on an initial read, but based on this, is the plan to use cgo if cgo happens to be enabled for some other reason, and use cgoless if cgo isn't enabled globally? What if someone wants to use cgo e.g. because they're targeting a different platform? Or if they don't want to use cgo for the backend, but do want to use it for their own C library they're using?
What are the current limitations of the cgoless implementation? Are there performance differences, functional differences (even if slight)?
Worth an ADR to explore?
There was a problem hiding this comment.
is the plan to use cgo if cgo happens to be enabled for some other reason, and use cgoless if cgo isn't enabled globally
Yes. This fact needs to be better documented, probably as part of this PR @gdams.
What if someone wants to use cgo e.g. because they're targeting a different platform? Or if they don't want to use cgo for the backend, but do want to use it for their own C library they're using?
Mixing cgo with cgoless OpenSSL is possible, but I don't see why someone would want to do that, and that means more testing and complexity on our side.
What are the current limitations of the cgoless implementation? Are there performance differences, functional differences (even if slight)?
This also needs to be documented. There are some few limitations and differences that I want to smooth out before Go 1.27.
Worth an ADR to explore?
I should have made an ADR for all this enchilada one year ago. IMO it is a bit late now, we should focus instead on writing good docs.
There was a problem hiding this comment.
I've updated the docs to explain this slighlt more clearly
There was a problem hiding this comment.
We talked about this in sync, and a feature doc sounds good. (IMO it can serve just fine as the de-facto Record of our Architecture Decision. 🙂) We also talked about potentially adding a dedicated roadmap somewhere, which could take pressure off this cgoless doc potentially having to explain the whole rollout plan.
I think the agent needs to be taught that it shouldn't pay attention to vendored Go code in general. |
dagood
changed the title
The comment from the agent was useful to me, it surfaced the need to update the telemetry configuration at some point in the future. The recommendation is wrong, that's true, we don't want to do it now. |
Patch Consistency Review SummaryI've reviewed the patch file changes in this PR, which promotes the cgo-less OpenSSL implementation from an experimental feature ( Changes OverviewThe PR makes consistent changes across:
Issue FoundThere is one inconsistency that needs to be addressed: Patch 0001 (Vendor patch) still contains a reference to RecommendationPlease update the telemetry configuration in patch 0001 to remove the
|
|
|
||
| > [!NOTE] | ||
| > As of Go 1.26, there is a cgo-less experiment available for Linux: `ms_nocgo_opensslcrypto`. | ||
| > In Go 1.26, there is a cgo-less experiment available for Linux: `ms_nocgo_opensslcrypto`. For Go 1.27 this experiment will be removed and the cgo requirement for `systemcrypto` on Linux will be lifted by default. |
There was a problem hiding this comment.
Split the line for reading/scanning clarity--put the version noticeably at left edge.
| > In Go 1.26, there is a cgo-less experiment available for Linux: `ms_nocgo_opensslcrypto`. For Go 1.27 this experiment will be removed and the cgo requirement for `systemcrypto` on Linux will be lifted by default. | |
| > In Go 1.26, there is a cgo-less experiment available for Linux: `ms_nocgo_opensslcrypto`. | |
| > | |
| > In Go 1.27, the experiment will be removed and the cgo requirement for `systemcrypto` on Linux will be lifted by default. | |
| > |
| > Currently this experiment is supported on the following architectures: `386`, `amd64`, `arm`, `arm64`, `ppc64le` and `riscv64`. | ||
| > Currently this experiment is supported on the following architectures: **386**, **amd64**, **arm**, **arm64**, **ppc64le** and **riscv64**. | ||
| > | ||
| > **How the backend is selected:** If cgo is enabled (e.g., `CGO_ENABLED=1`), the cgo-based OpenSSL backend is always used. |
There was a problem hiding this comment.
This should be in its own doc IMO and linked from here as a "for more details". As long as this selection is done properly and there are no feature/perf gaps, it seems to me that it will "just work" and the vast majority reading this doc don't need the details.
| > Currently this experiment is supported on the following architectures: **386**, **amd64**, **arm**, **arm64**, **ppc64le** and **riscv64**. | ||
| > | ||
| > **How the backend is selected:** If cgo is enabled (e.g., `CGO_ENABLED=1`), the cgo-based OpenSSL backend is always used. | ||
| > The cgo-less backend is only used when cgo is disabled AND you're on a supported architecture. |
There was a problem hiding this comment.
I don't think we use caps for emphasis normally?
| > The cgo-less backend is only used when cgo is disabled AND you're on a supported architecture. | |
| > The cgo-less backend is only used when cgo is disabled **and** you're on a supported architecture. |
| > | ||
| > **How the backend is selected:** If cgo is enabled (e.g., `CGO_ENABLED=1`), the cgo-based OpenSSL backend is always used. | ||
| > The cgo-less backend is only used when cgo is disabled AND you're on a supported architecture. | ||
| > This means if you enable cgo for other reasons (e.g., your own C library or cross-compiling for a different platform), the crypto backend will use the cgo-based implementation. |
There was a problem hiding this comment.
Why would you enable cgo for cross-compiling for a different platform?
| +++ b/src/crypto/internal/backend/openssl_linux.go | ||
| @@ -0,0 +1,424 @@ | ||
| +// Copyright 2017 The Go Authors. All rights reserved. | ||
| +// Use of this source code is governed by a BSD-style | ||
| +// license that can be found in the LICENSE file. | ||
| + | ||
| +//go:build goexperiment.opensslcrypto && linux && (cgo || goexperiment.ms_nocgo_opensslcrypto) | ||
| +//go:build goexperiment.opensslcrypto |
There was a problem hiding this comment.
I might be forgetting a convention, but isn't it bad/unexpected to have a file named openssl_linux.go that doesn't have a linux build tag? (And does this really imply that we have Windows/macOS/etc. support here?)
| + These architectures are: 386, amd64, arm, arm64, ppc64le and riscv64. | ||
| + | ||
| + For more information, visit https://github.com/microsoft/go/blob/microsoft/main/eng/doc/MigrationGuide.md#cgo-is-not-enabled | ||
| + For more information, including how to request support for additional architectures, visit https://github.com/microsoft/go/blob/main/eng/doc/MigrationGuide.md#cgo-is-not-enabled. |
There was a problem hiding this comment.
Leave out .. Some shells' URL parsers could probably handle it to make it clickable without breaking the URL, but not all. It might also be manually copy-pasted by selection, and it's easier to do that when there aren't adjacent garbage characters.
Also, branch is wrong.
| + For more information, including how to request support for additional architectures, visit https://github.com/microsoft/go/blob/main/eng/doc/MigrationGuide.md#cgo-is-not-enabled. | |
| + For more information, including how to request support for additional architectures, visit https://github.com/microsoft/go/blob/microsoft/main/eng/doc/MigrationGuide.md#cgo-is-not-enabled |
3 participants
This is for go 1.27 and onwards