[Swan-dev] generating x509 certificates

Andrew Cagney andrew.cagney at gmail.com
Tue Feb 3 18:53:52 EET 2015 

Antony,

To summarize, you're stating that there is no reproducible way to run
the x509 test-suite.  Be it me, you, or anyone.  The conclusion I draw
from that is that I shouldn't even bother running them.

I'll neuter the changes.

Andrew


On 3 February 2015 at 11:39, Antony Antony <antony at phenome.org> wrote:
> Andrew,
> I am very suspicious of this change, removing the shell script and adding the py to  every make check, in haste. In the past me and others spend a lot of time on dist_certs and py variant without satisfactory result. So the switch is postponed. Check the git logs of dist_certs and the testing pluto makefile:( One way I can see your change stick is you share your test run results. I would like to see how many x509 tests passed. If that number is low we should not be making this swift change.
>
> Why such a hurry. This will potentially break daily run. Did you complete a whole run before pushing this change? It takes 6+ hours for that.
> When a change has potential to break 100s of test cases, better try it out first.
>
> What is the harm is leaving the shell script there?
>
> Would you please put the shell script back and remove dist_cert.py from make check. The urgency for this mail is due to fact that my next run .py will delete my existing certificates. That is why it is not in "make check" and no easy way to revert if .py fails. I have continuous test runs going on.
>
> If you like, or need an extra server to run tests, I can offer to do a run using dist_certs.py on a separate machine and compare the results. One problem there our test results may have drifted too much from recent peak of 200 - 210 passing test cases. One more reason to be cautious when the number is low.
>
> I will wait a couple of hours. If we don't reach resolution I am tempted to revert the whole commit. I don't know exactly which parts are harmless improvements.
> regards,
> -antony
>
> On Tue, Feb 03, 2015 at 10:58:02AM -0500, Andrew Cagney wrote:
>> On 3 February 2015 at 10:33, Paul Wouters <paul at nohats.ca> wrote:
>> > On Tue, 3 Feb 2015, Andrew Cagney wrote:
>> >
>> >> - purging the shell script
>> >> - tweaking the "make check" so it depends on those certs and will generate
>> >> them
>> >> seem reasonable?
>> >
>> >
>> > Confirm that with Matt first :)
>>
>> Oops :-)
>> Turned out that dist_certs.py didn't generate nss-pw so I pushed that
>> fix and the rest :-(
>> It can't be worse than the old situation.
>>
>> >> Who wishes the code to boot/run commands on a client (in swantest) was
>> >> available as a separate script - I could then use the test machine's
>> >> version of openssl.
>> >
>> >
>> > you can ssh into the machines? :)
>>
>> True, if it has been set up.  I'd like avoid adding that dependency to
>> the test infrastructure though.
>>
>> > Paul
>> _______________________________________________
>> Swan-dev mailing list
>> Swan-dev at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan-dev
>>

More information about the Swan-dev mailing list