On 06/11/19 18:08, Leif Lindholm wrote:

On Tue, Jun 11, 2019 at 05:46:37PM +0200, Laszlo Ersek wrote:

The instructions have spread to many other places (build instructions
in wiki and edk2-platforms Readme.md being two of them).
That's not to say we shouldn't change it, but that we need to go
through and update those places too.

And frankly, if we've accepted the need to support submodules, we
need to document how edk2 interacts with submodules, not how each
individual submodule interacts with edk2 - so the git instructions in
OpenSSL-HOWTO.txt should probably be deleted.

This might be a good topic to bring to the next design meeting.

Presumably the above will be a useful workaround for the original
reporter in the meantime.

To be clear -- the problem *exists* only because the original reporter
is stuck behind a restrictive firewall. There is nothing *technically*
wrong with the current instructions in "OpenSSL-HOWTO.txt". There is
nothing particular in how "edk2 interacts with submodules". We're
discussing workarounds for a political problem.

At this point in time we are discussing a workaround for a political
problem. But relying on submodules means relinquishing elements of
control and consistency (if github goes down, we're consistently
down).

In this instance, we explicitly don't care about the submodule for
that other project (and I really hope this is the norm) - so we
shouldn't be documenting steps that rely on that additional
submodule existing.

Yes; this is why I suggested dropping "--recursive" from the
instructions. As far as I remember, it was meant as a convenience for
users cloning the edk2 repo from zero.

Whether its inaccessibility is for political (not
just this one, but "oh, someone told me there was pirated things on
that host"), technical ("server went down") or financial ("where is me
domain, me noggin' noggin' domain, it's all gone for beer and
tobacco") reasons.

(Why yes, I may be going slightly loopy from too much python.)

This is why I am referring to anything other than a central definition
of the relationship between edk2 and its submodules as a workaround. I
am not suggesting any shortcomings in the technical aspect.

Can you provide an example definition then? I'm having trouble imagining
one.

Or do you have QEMU in mind, as an example? AIUI, the QEMU project has
server-side jobs that continuously mirror all submodule repositories
from their primary locations to the QEMU git server. And then submodule
URLs in the main QEMU tree (the "superproject") point to the mirrored
subprojects on "git.qemu.org". This makes sure all submodules can be
cloned as long as QEMU itself can be cloned.

In edk2, the direct submodules (OpenSSL and SoftFloat) are both on
github, same as edk2 itself. OpenSSL seems to have three submodules,
"pyca-cryptography" (on github), "krb5" (ditto), and "boringssl" (on
"googlesource.com"). "boringssl" has a mirror at
<https://github.com/google/boringssl>, but:

- in order to change the URL in OpenSSL, we'd either have to convince
the OpenSSL developers to reference the github mirror rather than the
central boringssl repo, or we'd have to diverge from OpenSSL upstream in
our submodule (with a commit that updates the URL)

- we *really* don't need boringssl:

- Readme.md at <https://github.com/google/boringssl> states as much
up-front ("it is not intended for general use, as OpenSSL is. We
don't recommend that third parties depend upon it")

- In OpenSSL, the boringssl submodule was introduced in commit
ab29eca645cd ("Run BoringSSL tests on Travis", 2016-11-24). It looks
completely useless for superprojects (i.e. for communities that
don't actively develop OpenSSL itself).

In short I don't see how we can define a uniform / blanket relationship
between edk2 and all of its sub-sub-modules. We could provide a list
that discussed each case separately. And this list could change every
time we moved forward to a new OpenSSL (or other direct submodule) release.

I'm sorry if this is just wild speculation but I really don't understand
what you have in mind, for the definition. Can you please give an example?

Thanks
Laszlo

On Tue, Jun 11, 2019 at 05:46:37PM +0200, Laszlo Ersek wrote:

The instructions have spread to many other places (build instructions
in wiki and edk2-platforms Readme.md being two of them).
That's not to say we shouldn't change it, but that we need to go
through and update those places too.

And frankly, if we've accepted the need to support submodules, we
need to document how edk2 interacts with submodules, not how each
individual submodule interacts with edk2 - so the git instructions in
OpenSSL-HOWTO.txt should probably be deleted.

This might be a good topic to bring to the next design meeting.

Presumably the above will be a useful workaround for the original
reporter in the meantime.

To be clear -- the problem *exists* only because the original reporter
is stuck behind a restrictive firewall. There is nothing *technically*
wrong with the current instructions in "OpenSSL-HOWTO.txt". There is
nothing particular in how "edk2 interacts with submodules". We're
discussing workarounds for a political problem.

At this point in time we are discussing a workaround for a political
problem. But relying on submodules means relinquishing elements of
control and consistency (if github goes down, we're consistently
down).

In this instance, we explicitly don't care about the submodule for
that other project (and I really hope this is the norm) - so we
shouldn't be documenting steps that rely on that additional
submodule existing. Whether its inaccessibility is for political (not
just this one, but "oh, someone told me there was pirated things on
that host"), technical ("server went down") or financial ("where is me
domain, me noggin' noggin' domain, it's all gone for beer and
tobacco") reasons.

(Why yes, I may be going slightly loopy from too much python.)

This is why I am referring to anything other than a central definition
of the relationship between edk2 and its submodules as a workaround. I
am not suggesting any shortcomings in the technical aspect.

/
Leif

On 06/11/19 12:30, Leif Lindholm wrote:

On Tue, Jun 11, 2019 at 12:08:34PM +0200, Laszlo Ersek wrote:

Argh, no. OpenSSL has boringssl as a git submodule.

edk2/CryptoPkg/Library/OpensslLib/openssl$ cat .gitmodules
[submodule "boringssl"]
path = boringssl
url = https://boringssl.googlesource.com/boringssl
...

That's right, but it shouldn't matter. In edk2, I always use

$ git submodule update --init --force

and I never pass the "--recursive" flag. This is also how I tested the
upgrade to OpenSSL-1.1.1b, before edk2-stable201905 was tagged. The
boringssl sub-sub-module is not needed for edk2's purposes.

We might want to drop "--recursive" from "OpenSSL-HOWTO.txt", instead.

The instructions have spread to many other places (build instructions
in wiki and edk2-platforms Readme.md being two of them).
That's not to say we shouldn't change it, but that we need to go
through and update those places too.

And frankly, if we've accepted the need to support submodules, we
need to document how edk2 interacts with submodules, not how each
individual submodule interacts with edk2 - so the git instructions in
OpenSSL-HOWTO.txt should probably be deleted.

This might be a good topic to bring to the next design meeting.

Presumably the above will be a useful workaround for the original
reporter in the meantime.

To be clear -- the problem *exists* only because the original reporter
is stuck behind a restrictive firewall. There is nothing *technically*
wrong with the current instructions in "OpenSSL-HOWTO.txt". There is
nothing particular in how "edk2 interacts with submodules". We're
discussing workarounds for a political problem.

Thanks
Laszlo

On Tue, Jun 11, 2019 at 12:08:34PM +0200, Laszlo Ersek wrote:

Argh, no. OpenSSL has boringssl as a git submodule.

edk2/CryptoPkg/Library/OpensslLib/openssl$ cat .gitmodules
[submodule "boringssl"]
path = boringssl
url = https://boringssl.googlesource.com/boringssl
...

That's right, but it shouldn't matter. In edk2, I always use

$ git submodule update --init --force

and I never pass the "--recursive" flag. This is also how I tested the
upgrade to OpenSSL-1.1.1b, before edk2-stable201905 was tagged. The
boringssl sub-sub-module is not needed for edk2's purposes.

We might want to drop "--recursive" from "OpenSSL-HOWTO.txt", instead.

The instructions have spread to many other places (build instructions
in wiki and edk2-platforms Readme.md being two of them).
That's not to say we shouldn't change it, but that we need to go
through and update those places too.

And frankly, if we've accepted the need to support submodules, we
need to document how edk2 interacts with submodules, not how each
individual submodule interacts with edk2 - so the git instructions in
OpenSSL-HOWTO.txt should probably be deleted.

This might be a good topic to bring to the next design meeting.

Presumably the above will be a useful workaround for the original
reporter in the meantime.

Regards,

Leif

On 06/10/19 16:00, Leif Lindholm wrote:

On Mon, Jun 10, 2019 at 01:50:43PM +0000, Gao, Liming wrote:

edk2 submodule are from github openssl and berkeley-softfloat-3. If you can access edk2, you can also access them. Why you system redirect github openssl to boringssl?

* [CryptoPkg/Library/OpensslLib/openssl](https://github.com/openssl/openssl/blob/50eaac9f3337667259de725451f201e784599687/LICENSE)
* [ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3](https://github.com/ucb-bar/berkeley-softfloat-3/blob/b64af41c3276f97f0e181920400ee056b9c88037/COPYING.txt)

Argh, no. OpenSSL has boringssl as a git submodule.

edk2/CryptoPkg/Library/OpensslLib/openssl$ cat .gitmodules
[submodule "boringssl"]
path = boringssl
url = https://boringssl.googlesource.com/boringssl
...

That's right, but it shouldn't matter. In edk2, I always use

$ git submodule update --init --force

and I never pass the "--recursive" flag. This is also how I tested the
upgrade to OpenSSL-1.1.1b, before edk2-stable201905 was tagged. The
boringssl sub-sub-module is not needed for edk2's purposes.

We might want to drop "--recursive" from "OpenSSL-HOWTO.txt", instead.

Thanks
Laszlo

On Mon, Jun 10, 2019 at 01:50:43PM +0000, Gao, Liming wrote:

edk2 submodule are from github openssl and berkeley-softfloat-3. If you can access edk2, you can also access them. Why you system redirect github openssl to boringssl?

* [CryptoPkg/Library/OpensslLib/openssl](https://github.com/openssl/openssl/blob/50eaac9f3337667259de725451f201e784599687/LICENSE)
* [ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3](https://github.com/ucb-bar/berkeley-softfloat-3/blob/b64af41c3276f97f0e181920400ee056b9c88037/COPYING.txt)

Argh, no. OpenSSL has boringssl as a git submodule.

edk2/CryptoPkg/Library/OpensslLib/openssl$ cat .gitmodules
[submodule "boringssl"]
path = boringssl
url = https://boringssl.googlesource.com/boringssl
...


/
Leif

Thanks
Liming
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of krishnaLee
Sent: Monday, June 10, 2019 5:07 PM
To: devel@edk2.groups.io
Cc: 'announce@edk2.groups.io' <announce@edk2.groups.io>; leif.lindholm@...; Kinney, Michael D <michael.d.kinney@...>; afish@...; Laszlo Ersek (lersek@...) <lersek@...>
Subject: Re: [edk2-devel] EDK II Stable Tag release edk2-stable201905 completed

Hi,
I had download it (git clone -b edk2-stable201905 https://github.com/tianocore/edk2.git),
but update openssl failed by command (git submodule update --init --recursive)
Cloning into 'D:/edk2/CryptoPkg/Library/OpensslLib/openssl/boringssl'...
fatal: unable to access 'https://boringssl.googlesource.com/boringssl/': Failed to connect to boringssl.googlesource.com port 443: Timed out

I think many chinese people need "Climbing<https://www.bing.com/dict/search?q=Climbing&FORM=BDVSP6&mkt=zh-cn> over<https://www.bing.com/dict/search?q=over&FORM=BDVSP6&mkt=zh-cn> the<https://www.bing.com/dict/search?q=the&FORM=BDVSP6&mkt=zh-cn> Wall<https://www.bing.com/dict/search?q=Wall&FORM=BDVSP6&mkt=zh-cn>" to access 'https://boringssl.googlesource.com/boringssl/'.

I am sorry about this but is there any other idea to bypass it?


thanks,
Krishna.



At 2019-06-06 17:54:48, "Liming Gao" <liming.gao@...<mailto:liming.gao@...>> wrote:

Hi, all

The tag edk2-stable201905 has been created. https://github.com/tianocore/edk2/releases/tag/edk2-stable201905
git clone -b edk2-stable201905 https://github.com/tianocore/edk2.git

The tag edk2-stable201905 has been added into the main EDK II Wiki page.
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II

The quiet period has now ended. Thank you for your cooperation and patience. Normal commits can now be resumed.

Next edk2 stable tag (edk2-stable201908) planning has been added into wiki page.
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning.

If you have ideas for features in the next stable tag, please enter a Bugzilla for evaluation. Please let us know if there are existing open Bugzilla entries that should be targeted at this next stable tag.

Thanks
Liming

edk2 submodule are from github openssl and berkeley-softfloat-3. If you can access edk2, you can also access them. Why you system redirect github openssl to boringssl?

* [CryptoPkg/Library/OpensslLib/openssl](https://github.com/openssl/openssl/blob/50eaac9f3337667259de725451f201e784599687/LICENSE)
* [ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3](https://github.com/ucb-bar/berkeley-softfloat-3/blob/b64af41c3276f97f0e181920400ee056b9c88037/COPYING.txt)

Thanks
Liming
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of krishnaLee
Sent: Monday, June 10, 2019 5:07 PM
To: devel@edk2.groups.io
Cc: 'announce@edk2.groups.io' <announce@edk2.groups.io>; leif.lindholm@...; Kinney, Michael D <michael.d.kinney@...>; afish@...; Laszlo Ersek (lersek@...) <lersek@...>
Subject: Re: [edk2-devel] EDK II Stable Tag release edk2-stable201905 completed

Hi,
I had download it (git clone -b edk2-stable201905 https://github.com/tianocore/edk2.git),
but update openssl failed by command (git submodule update --init --recursive)
Cloning into 'D:/edk2/CryptoPkg/Library/OpensslLib/openssl/boringssl'...
fatal: unable to access 'https://boringssl.googlesource.com/boringssl/': Failed to connect to boringssl.googlesource.com port 443: Timed out

I think many chinese people need "Climbing<https://www.bing.com/dict/search?q=Climbing&FORM=BDVSP6&mkt=zh-cn> over<https://www.bing.com/dict/search?q=over&FORM=BDVSP6&mkt=zh-cn> the<https://www.bing.com/dict/search?q=the&FORM=BDVSP6&mkt=zh-cn> Wall<https://www.bing.com/dict/search?q=Wall&FORM=BDVSP6&mkt=zh-cn>" to access 'https://boringssl.googlesource.com/boringssl/'.

I am sorry about this but is there any other idea to bypass it?


thanks,
Krishna.



At 2019-06-06 17:54:48, "Liming Gao" <liming.gao@...<mailto:liming.gao@...>> wrote:

Hi, all

The tag edk2-stable201905 has been created. https://github.com/tianocore/edk2/releases/tag/edk2-stable201905
git clone -b edk2-stable201905 https://github.com/tianocore/edk2.git

The tag edk2-stable201905 has been added into the main EDK II Wiki page.
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II

The quiet period has now ended. Thank you for your cooperation and patience. Normal commits can now be resumed.

Next edk2 stable tag (edk2-stable201908) planning has been added into wiki page.
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning.

If you have ideas for features in the next stable tag, please enter a Bugzilla for evaluation. Please let us know if there are existing open Bugzilla entries that should be targeted at this next stable tag.

Thanks
Liming