Update Windows CI to use php-sdk-2.3.0 (PHP-8.1) #16097
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
php-sdk-2.2.0 still fetches dependencies from the no longer up to date <https://windows.php.net/downloads/php-sdk/deps/>, and as such won't be tested with any security updates we provide for Windows. Given that PHP 8.1 is going to receive security updates for further 15 months, we should should not ignore these dependency updates. We also fix failing OpenSSL tests, which are no longer failing, at least on Windows, because we have back-ported the fix for the Marvin Attack[1]. So we fix the test cases accordingly. [1] <GHSA-hh26-4ppw-5864>
|
So the versions that have not be fixed are declared as unsafe for PHP as per GHSA-hh26-4ppw-5864 . So not sure if we need to tweak tests for them. We might try to add some skip rule maybe but it might not be that easy to identify... |
Then I'm fine with not having any fallbacks for unfixed OpenSSL versions (might actually be good to have the tests fail for these versions; might push users to no longer use them). |
bukka
reviewed
Sep 28, 2024
We use the same naming scheme as with openssl_error_string_basic.phpt.
Use OPENSSL_PKCS1_OAEP_PADDING padding in tests (cherry picked from commit 11caf09)
This was referenced Sep 28, 2024
cmb69
changed the title
|
@ramsey, @patrickallaert, what do you think? I like to have a green CI for PHP 8.1, and this would be a good first step. PR #16107 would be another step. |
cmb69
added a commit
to cmb69/php-src
that referenced
this pull request
Oct 1, 2024
As is, we're running the push workflow for all pushes and pull request, plus we run more comprehensive nightly workflow for all branches which had commits during the day. That means that security branches may not run CI for weeks or even months. In the meantime, dependencies might be updated, which can cause later workflow runs to fail. For instance, a few openssl tests fail due to security fixes in OpenSSL[1], an update of Oracle Instant Client causes a couple of oci8 and pdo_oci tests to fail[2], and the macOS builds do no longer even built (investigation pending). Therefore, we allow to run the pull workflow manually, so it is possible to check the CI condition of temporary inactive branches from time to time. [1] <php#16097> [2] <php#16107>
cmb69
added a commit
that referenced
this pull request
Oct 10, 2024
As is, we're running the push workflow for all pushes and pull request, plus we run more comprehensive nightly workflow for all branches which had commits during the day. That means that security branches may not run CI for weeks or even months. In the meantime, dependencies might be updated, which can cause later workflow runs to fail. For instance, a few openssl tests fail due to security fixes in OpenSSL[1], an update of Oracle Instant Client causes a couple of oci8 and pdo_oci tests to fail[2], and the macOS builds do no longer even built (investigation pending). Therefore, we allow to run the pull workflow manually, so it is possible to check the CI condition of temporary inactive branches from time to time. [1] <#16097> [2] <#16107> Closes GH-16148.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
php-sdk-2.2.0 still fetches dependencies from the no longer up to date https://windows.php.net/downloads/php-sdk/deps/, and as such won't be tested with any security updates we provide for Windows. Given that PHP 8.1 is going to receive security updates for further 15 months, we should should not ignore these dependency updates.
We also fix failing OpenSSL tests, which are no longer failing, at least on Windows, because we have back-ported the fix for the Marvin Attack[1]. So we fix the test cases accordingly.
[1] GHSA-hh26-4ppw-5864
I was quite surprised to see a recent PHP-8.1 CI job passing on Windows; but of course, when running against out-dated dependencies, that is actually expected. Note that our nightly builds already use php-sdk-2.3.0, so the test failures can be seen there.
@bukka, the OpenSSL test updates are likely too strict, since we may need to cater to OpenSSL versions which haven't been fixed yet.