Create script for automated repo update

[baentsch]

If possible, create a script that automatically merges the two OpenSSL forks https://github.com/open-quantum-safe/openssl and https://github.com/quictls/openssl to create a current version of oqs-openssl-quic, e.g., when both forks have merged in a new upstream tag/release. This pertains to OpenSSL v1.1.1.

[igorbarshteyn]

Hi Michael,

I'm not well versed in GitHub yet, so I'm not sure if I can help you with code to update the repo on GitHub, upload the repo and create a new tag.

That said, I have created a script which currently creates a local build of oqs-openssl-quic non-interactively in place, and installs it.

I've experimented with using tags to match up the oqs-openssl and quictls versions. However, it presently doesn't work because 'git describe' for the main branch of oqs-openssl returns a tag which is not what I expected. If 'git describe' for the main branch of oqs-openssl returned something like 'OpenSSL_1_1_1m' or similar format, I could probably use this to automatically match up with the correct tag in quictls, and the script could be reused if the tags changed in a predictable fashion following OpenSSL release tag format. Please see the comments in the script for details of my tag-based automation experiments. I've left the automation parts commented out so they can be readily activated at a later time.

I hope this helps to show my logic in adding commits from quictls, and also helps you construct the eventual docker image.

oqs-openssl-quic-autobuild.zip

Thanks,

Igor

[baentsch]

Hi Igor,

I amended your script and put it into github as a file easy to reference: https://github.com/igorbarshteyn/oqs-openssl-quic/blob/mb-client-server-docker/oqs-scripts/oqs-openssl-quic-autobuild.sh. Its location just feels wrong (within the repo it's actually creating). So two questions: 1) Could you please glance it over to check whether it's (still) OK? My main changes were to set by variable the locations where to install everything and which "contributing" repo tags to merge, as well as to add testing before commit. The latter command is commented out as I'd envision this script as part of the "dockerization" of all components (where check-in is not really necessary). 2) Would you want to consider contributing this to OQS? My suggestion would be for you to fork https://github.com/open-quantum-safe/oqs-demos, create a branch "quic", adding in there a folder quic and this file (for starters -- maybe also adding a README.md already explaining what this is all about). Then do a PR to oqs-demos to ensure you are properly attributed as author for this good work?

This could be the starting point of an ongoing git-based cooperation where your contributions would be properly visible (beyond linked-in) and where we can build on each other's work via the mechanisms provided by git. If this would be OK for you, could you please also confirm that your employer is OK with this, doesn't retain limiting rights in your contributions and is OK with our license?

Best, --Michael

[igorbarshteyn]

@baentsch Hi Michael,

In reply to your questions:

1) Thanks so much for updating the oqs-openssl-quic build script - I will review your updates ASAP. At present I can only contribute a few hours per week, due to working on this project in the evenings or on weekends outside of full-time work, and also due to attending to 3 small children running around the house.

2) That said, I would absolutely love the opportunity to contribute in my small way to your project.

Regarding licensing: I published the original rough script that deploys the demo platform on Ubuntu LTS (comprising of oqs-openssl-quic from this repo built against your liboqs, a build of nginx-quic using oqs-openssl-quic from this repo, a build of LSQUIC against your oqs-boringssl/liboqs, and late-version Wireshark) on LinkedIn under the Creative Commons attribution license, working strictly on my own time outside of work, and my current employer neither retains rights to that script nor can lay claim to it. This script in no way intersects with my job function at my current employer. Note that the Creative Commons license only applies to the script for building the demo platform, and does not apply to or modify the underlying licenses for the components I cobble together via the script for the demo (e.g. MIT license for liboqs, oqs-openssl, oqs-boringssl, and for oqs-openssl-quic which inherits it; 2-clause BSD license for nginx-quic; GNU GPLv2 for Wireshark; Apache 2.0 for quictls; and also MIT license for LSQUIC).

A further point: I'm starting with a new employer (on February 7th), and my agreement with them specifically states that any work I'm doing relating to QUIC support in oqs-openssl is excluded from any claims they may have, as it's something I've started working on before joining with them.

I would be happy to follow the steps you described to fork oqs-demos and create the quic branch where I can further contribute by refining and improving the current demo. I would be happy to have the improved demo script advertise your MIT license rather than the CC license for the original rough cut that I published.

There is much room for improvement. Things I'd like to work on/add are:

1) Make the LSQUIC build against oqs-boringssl transparent and programmatic, rather than giving a prebuilt ZIPped result of manual modifications to makefiles that effect the build. Also I'd love to tweak the configuration for oqs-boringssl used to build LSQUIC so that more KEX's are available for the user to experiment with.

2) Figure out what's causing cert generation to fail in many cases in my current demo. I haven't had a chance to look at that yet, nor to test with an alternate method for generating.

2) Include the docker-based Wireshark integration with OQS (per Anthony Hu's suggestion) as part of the demo, instead of the current generic Wireshark, which would allow the user to read the names of the quantum-safe algorithms involved directly, instead of looking at code point references in the packets.

3) Eventually get a demo with OpenSSL 3.0 and the OQS-provider working as well. So far I haven't made any progress in that direction beyond building the default OQS versions (without QUIC support) per the documentation your team kindly provides in your repo. This is a more long-term goal.

I'll likely not be able to do much work on this till after the 7th when I start the new job, as I am working to finish out my engagement with my current employer on a positive note.

Please let me know if this would be OK and I will do the forking and branching later next week and will proceed as outlined above. Once I do this, I'll no longer publish updates on LinkedIn directly, and I will inform the OQS team and invite further collaboration via GitHub.

Thanks for all your help and insight - I'm still new to all this (GitHub, git in general, docker - which I just started with 2 days ago, etc.). Over the past 2 months I've learned many new things, and it's clear I still have much to learn.

Have a good evening!

Igor

[baentsch]

Hi Igor,

thanks for all this background: This lets me understand your perspective very well. Please, by all means, focus on your kids and the job change. We'll be very happy as and when you have time to contribute via git; your contributions so far have been great and stimulated my interest in (OQS-)QUIC. Your plan above also looks good to me. I in turn will focus on the (oqs-)openssl/msquic side of things as you focus on boringssl/lsquic: Seems perfectly complementary. I'll surely be glad to help out with git & docker questions wherever I can; also feel free to send me direct mail to info(at)<my_[git_user]name>.ch. Good luck with your new employer! 

--Michael

[baentsch]

Hi Igor, any chance you could take a quick look at https://github.com/igorbarshteyn/oqs-openssl-quic/blob/mb-client-server-docker/oqs-scripts/merge-oqs-openssl-quic.sh ?

If so, I'd be really grateful if you could take a few minutes to do a fork of https://github.com/open-quantum-safe/oqs-demos, create a folder "quic" in there, add this file (possibly suitably amended with a README.md of your liking) and create a PR: I have pretty complete docker build envs waiting for this to create immediately cloud-deployable installations for quic-nginx and msquic -- fully in line with what we did for the other integrations.

This way our work would have a suitable place to continue to be built on -- with proper (github) attributions as to who contributed what.

[igorbarshteyn]

Hi Michael,

Being new to GitHub, I think I did all this correctly. Please check my pull-request and let me know if anything needs to be changed.

Thanks again,

Igor

On Wed, Feb 9, 2022 at 2:25 AM Michael Baentsch @.***> wrote:

Hi Igor, any chance you could take a quick look at https://github.com/igorbarshteyn/oqs-openssl-quic/blob/mb-client-server-docker/oqs-scripts/merge-oqs-openssl-quic.sh ?

If so, I'd be really grateful if you could take a few minutes to do a fork of https://github.com/open-quantum-safe/oqs-demos, create a folder "quic" in there, add this file (possibly suitably amended with a README.md of your liking) and create a PR: I have pretty complete docker build envs waiting for this to create immediately cloud-deployable installations for quic-nginx and msquic -- fully in line with what we did for the other integrations.

This way our work would have a suitable place to continue to be built on -- with proper (github) attributions as to who contributed what.

— Reply to this email directly, view it on GitHub https://github.com/igorbarshteyn/oqs-openssl-quic/issues/5#issuecomment-1033428597, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXDDDMMCKOUZGOYISLAPORDU2IJF7ANCNFSM5MVA2CNA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

[baentsch]

Closed via https://github.com/open-quantum-safe/oqs-demos/pull/123