dagood
commented
1 year ago Now that we have systemcrypto in 1.21, we can keep the old tag names, but make them usable for cross-building:
| Tag | Build platform | Target platform |
|---|---|---|
.../microsoft/golang:1.21-fips-bullseye |
Linux | Linux |
.../microsoft/golang:1.21-fips-bullseye |
Linux | Windows |
.../microsoft/golang:1.21-fips-windowsservercore-ltsc2022 |
Windows | Linux |
.../microsoft/golang:1.21-fips-windowsservercore-ltsc2022 |
Windows | Windows |
Right now, we have
-fipstags, but they're limited to building on Linux targeting Linux.We know that some people do build on Linux targeting Windows. It would help if we provide a tag to do that, rather than forcing them to manually configure
GOEXPERIMENTin this particular case.We also have no FIPS-preconfigured Windows builders, whether targeting Windows or Linux. I don't think we've identified any teams that build this way, but it seems reasonable to fill out the build matrix to have something ready for anyone who does.
We need a new naming scheme for this. I think dropping simple
-fips-and mentioning the backend is needed. Simplest is to use the goexperiment string, like:.../microsoft/golang:1.21-opensslcrypto-bullseye.../microsoft/golang:1.21-cngcrypto-bullseye.../microsoft/golang:1.21-opensslcrypto-windowsservercore-ltsc2022.../microsoft/golang:1.21-cngcrypto-windowsservercore-ltsc2022Something to perhaps point out more directly in our readme is that we don't produce runtime images. These (and the non-FIPS images for that matter) are all meant to be used for builds, not deployment.
golang:1.21-opensslcrypto-compelfips-bullseyetying in with https://github.com/microsoft/go/issues/928