[Swan-dev] generating x509 certificates

Andrew Cagney andrew.cagney at gmail.com
Tue Feb 3 18:32:00 EET 2015 

On 3 February 2015 at 11:02, Antony Antony <antony at phenome.org> wrote:
> On Tue, Feb 03, 2015 at 10:25:45AM -0500, Andrew Cagney wrote:
>> Does:
>> - purging the shell script
>
> not yet please. python script hasn't proven to work for me in all cases.

Since the old shell script absolutely positively doesn't work that is
still an improvement :-)  In addition, having it there and referred to
by libvirt/install.sh just drags new developers, like me, down a rat
hole.

Would you like me to re-instate the old script with the name old-dist-certs.sh?

>> - tweaking the "make check" so it depends on those certs and will generate them
>> seem reasonable?
>
> no to me. First try it a few times and then lets see where we get. Especially with 30 day or 28 day months:) Also please don't add it to "make check" yet.

I'm not sure I follow.   The rule is as follows:

check:  ${LIBRESWANSRCDIR}/kvmsetup.sh ${LIBRESWANSRCDIR}/testing/x509/nss-pw
...
${LIBRESWANSRCDIR}/testing/x509/nss-pw:
        cd ${LIBRESWANSRCDIR}/testing/x509/ && ./dist_certs.py

(a pedant will point out that nss-pw should also depend on dist_certs.py :-)

i.e., if the script has never ever been run in this tree then run it -
which is what everyone does now except manually.  Without that rule,
as a new developer, I need to magically know that the script needs to
be run (my hack to swantest helps but not much).

Would you prefer that "make check" barf if the file is missing
requiring that we run the script by hand?

Do you have any more information regarding the problems you
encountered. If Fep-29, for instance, is a problem then we could test
that using changing a VM's time and running the script.  If certain
build systems are a problem, then we can hack things to run the above
script on one of the VMs (if all else fails, I could hack swan-update
or similar).

>
>> Who wishes the code to boot/run commands on a client (in swantest) was
>> available as a separate script - I could then use the test machine's
>> version of openssl.
>
> are you saying each host, east, west will only generate its own certificate?

I'd like to be able to run arbitrary commands on the VMs from the test
framework.  Here, it would be nice to be able to run the dist_certs.py
command on west (say), as that would insulate us from the nuances of
our build systems.

Nice to have.

> -antony

More information about the Swan-dev mailing list