Open dagood opened 1 year ago
Now that we have systemcrypto
in 1.21, we can keep the old tag names, but make them usable for cross-building:
Tag | Build platform | Target platform |
---|---|---|
.../microsoft/golang:1.21-fips-bullseye |
Linux | Linux |
.../microsoft/golang:1.21-fips-bullseye |
Linux | Windows |
.../microsoft/golang:1.21-fips-windowsservercore-ltsc2022 |
Windows | Linux |
.../microsoft/golang:1.21-fips-windowsservercore-ltsc2022 |
Windows | Windows |
golangpublicimages.azurecr.io/nightly/oss/go/microsoft/golang:1.21-rc-fips-cbl-mariner2.0
golangpublicimages.azurecr.io/nightly/oss/go/microsoft/golang:1.21-rc-cbl-mariner2.0
golangpublicimages.azurecr.io/nightly/oss/go/microsoft/golang:1.21-rc-fips-windowsservercore-ltsc2022
Right now, we have
-fips
tags, but they're limited to building on Linux targeting Linux.We know that some people do build on Linux targeting Windows. It would help if we provide a tag to do that, rather than forcing them to manually configure
GOEXPERIMENT
in this particular case.We also have no FIPS-preconfigured Windows builders, whether targeting Windows or Linux. I don't think we've identified any teams that build this way, but it seems reasonable to fill out the build matrix to have something ready for anyone who does.
We need a new naming scheme for this. I think dropping simple
-fips-
and mentioning the backend is needed. Simplest is to use the goexperiment string, like:.../microsoft/golang:1.21-opensslcrypto-bullseye
.../microsoft/golang:1.21-cngcrypto-bullseye
.../microsoft/golang:1.21-opensslcrypto-windowsservercore-ltsc2022
.../microsoft/golang:1.21-cngcrypto-windowsservercore-ltsc2022
Something to perhaps point out more directly in our readme is that we don't produce runtime images. These (and the non-FIPS images for that matter) are all meant to be used for builds, not deployment.
golang:1.21-opensslcrypto-compelfips-bullseye
tying in with https://github.com/microsoft/go/issues/928