There is one bit of work that we could use some help with. Currently, several projects depend on OpenSSL, but the way we track OpenSSL is a little bit... makeshift, to say the least. Currently, both F and HACL have an OpenSSL git submodule, which is manually updated once in a while. The reason we'd like to move away from this setup is manifold:
first, it'd be great to get everyone on the same page
second, we keep shooting ourselves in the foot, as git submodules require one to remember to run "git submodule update" after each branch switch (failure to do that means a spurious revert to an old version of OpenSSL)
third, it is a dependency of Everest, and as such, probably deserves the same treatment as the other tools.
I envision a modification of hashes.sh inside of project-everest/everest to also track OpenSSL, and update it regularly just like the other tools. The only bit that would be different is that the first clone would be followed by a configure invocation that currently depends on the platform (see https://github.com/FStarLang/FStar/blob/master/ucontrib/CoreCrypto/ml/Makefile#L25 where we currently do this). After that, it would just be a matter of running git pull followed by make -C openssl.
The CI for miTLS and HACL* would then be a little bit different: we would do what we currently do for Kremlin/Vale, that is, get the latest hashes.sh to know which revision of OpenSSL to use, then build & export OPENSSL_HOME accordingly
We now have single checkout of OpenSSL tracked in MLCrypto and used for CI.
hacl-star@master still has an OpenSSL submodule, but we are mainly using hacl-star@fstar-master which doesn't have it.
From @protz
There is one bit of work that we could use some help with. Currently, several projects depend on OpenSSL, but the way we track OpenSSL is a little bit... makeshift, to say the least. Currently, both F and HACL have an OpenSSL git submodule, which is manually updated once in a while. The reason we'd like to move away from this setup is manifold:
I envision a modification of hashes.sh inside of project-everest/everest to also track OpenSSL, and update it regularly just like the other tools. The only bit that would be different is that the first clone would be followed by a configure invocation that currently depends on the platform (see https://github.com/FStarLang/FStar/blob/master/ucontrib/CoreCrypto/ml/Makefile#L25 where we currently do this). After that, it would just be a matter of running git pull followed by make -C openssl.
The CI for miTLS and HACL* would then be a little bit different: we would do what we currently do for Kremlin/Vale, that is, get the latest hashes.sh to know which revision of OpenSSL to use, then build & export OPENSSL_HOME accordingly