mukrop
commented
3 years ago Done in the new system, is it not @zacikpa?
Open zacikpa opened 4 years ago
mukrop
commented
3 years ago Done in the new system, is it not @zacikpa?
zacikpa
commented
3 years ago Actually, we do not test that the result is the same in each build, as we did in OpenSSL before.
I would leave this issue open. This is something that we would probably like to have in the future.
zacikpa
commented
2 years ago I've given this some more thought and it does not make much sense anymore. The behavior of some libraries will inevitably change for some of our certificates at some point, but we are not the ones to dictate how libraries should behave.
If we just want to check whether some library behavior changed, there may be easier ways (e.g. seeing how the mapping file compares to the previous one).
I would close this issue. What's your opinion, @mukrop?
mukrop
commented
2 years ago If we just want to check whether some library behavior changed, there may be easier ways (e.g. seeing how the mapping file compares to the previous one).
I see. Though this feature was meant as a self-check, not as a way to analyze libraries. My motivation was to prevent us from deploying the version where all certificates throw "expired" just because Travis screwed the clock setting or we messed with something we were not supposed to. Don't you find it a useful sanity check? How complicated would this be to add?
We test that OpenSSL validation is correct when building, test other libraries as well.