🌱 Preserve Mozilla v5.8 old TLS profile and harden update script#2632
Conversation
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Preserves the deprecated Mozilla v5.8 “old” TLS profile as a static Go source while updating the generator to track Mozilla’s latest TLS guidelines and adding guards/tests to prevent accidental regressions.
Changes:
- Move
oldTLSProfileinto a new staticold_profile.go(sourced from Mozilla v5.8) and remove it from generated data. - Harden
update-tls-profiles.shwith version-based early exit and schema validations; switch input tolatest.json/ v6. - Add unit tests for old profile invariants and for presence of the
X25519MLKEM768curve across profiles.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| internal/shared/util/tlsprofiles/tlsprofiles_test.go | Adds assertions to lock down old profile invariants and ensure X25519MLKEM768 is present in profiles. |
| internal/shared/util/tlsprofiles/old_profile.go | Introduces a static copy of Mozilla v5.8 “old” profile for backward compatibility. |
| internal/shared/util/tlsprofiles/mozilla_data.go | Updates generated header to track latest.json (v6) and removes generated “old” profile. |
| hack/tools/update-tls-profiles.sh | Switches generator input to latest.json, adds early exit on unchanged version, and validates input structure before generation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tmshort
force-pushed
the
tls-profiles-old-profile-preservation
branch
from
fbafd47 to
2de30ac
Compare
tmshort
force-pushed
the
tls-profiles-old-profile-preservation
branch
from
2de30ac to
b4a4e74
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2632 +/- ##
=======================================
Coverage 68.95% 68.95%
=======================================
Files 139 139
Lines 9891 9891
=======================================
Hits 6820 6820
Misses 2562 2562
Partials 509 509
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
- Move oldTLSProfile to a static old_profile.go (removed from v6+ spec) - Add version-based early exit to update-tls-profiles.sh - Validate profile existence, tls_versions, ciphers, and curves fields - Make jq/sed/cat invocations null-safe and consistently quote variables - Add unit tests for old profile content; fix global state leak in tests Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Todd Short <tshort@redhat.com>
tmshort
force-pushed
the
tls-profiles-old-profile-preservation
branch
from
b4a4e74 to
4340f84
Compare
|
|
||
| version=$(${JQ} -r '.version' ${TMPFILE}) | ||
| # Extract stored version from current output file (may be empty on first run) | ||
| STORED_VERSION=$(grep '^// DATA VERSION:' "${OUTPUT}" 2>/dev/null | awk '{print $4}' || true) |
There was a problem hiding this comment.
nit: the "|| true" may be dropped here as the grep is in a pipe with awk and the overall result would never fail (as the awk command would not fail). Still looks more robust this way.
There was a problem hiding this comment.
1. Use a fixed version URL instead of latest.json
Using latest.json makes builds non-reproducible — the same commit can pass CI today and break tomorrow if Mozilla publishes a new version (which is exactly what triggered this PR). A fixed URL like guidelines/6.0.json makes version bumps deliberate, reviewable, and auditable. It also makes the version-skip logic unnecessary since the input becomes deterministic.
2. Consider replacing bash/jq/sed code generation with go:embed + runtime parsing
The script has grown significantly with validation, null-safety, and sed workarounds. An alternative approach: commit the Mozilla JSON file directly, embed it with //go:embed, and parse it at init() time using the existing cipherSuiteId()/curveId() helpers. This eliminates the bash script, the gojq build dependency, the sed hacks for unsupported ciphers (skip unknown names during parsing instead), and the generated mozilla_data.go. The make target becomes a one-line curl.
3. The old profile's curves don't match v5.8
The static old_profile.go includes X25519MLKEM768 in its curves, but Mozilla v5.8 didn't have that curve — it was added in v6. If the intent is to preserve v5.8 faithfully, the curves should be X25519, prime256v1, secp384r1.
4. The sed cleanup is now dead code
The sed lines removing TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 etc. only applied to the old profile, which is no longer generated. These can be removed.
5. Minor: TestGetProfiles negative case dropped
The original test covered the "does-not-exist" error path. The replacement TestProfilesMapCompleteness only tests the happy path. Consider keeping the negative case.
This is intentional; because we want to ensure we are up-to-date.
Interesting idea.
Actually, 5.8 does include It wasn't part of the original 5.7.
If those ciphers are ever added to the intermediate (possible) or the modern (unlikely) profile. They will cause problems. So even though they previously only applied to the to the old profile, they could apply to any other profile. If this were moved to use golang, then all ciphers could be validated, and not just those that we list.
👍 |
|
+1 to approve/merge, but I'm not the only one with comments, so I won't add the label here yet. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-ci
bot
added
the
do-not-merge/hold
|
/unhold Since @pedjak's number 2 comment is a big thing, I'm going to do a followup PR with it, and will resolve numbers 4 (which is harmless now) and 5 at the same time. Number 1 is intentional, and 3 is incorrect. |
openshift-ci
bot
removed
the
do-not-merge/hold
openshift-merge-bot
bot
merged commit 8614e3b
into
operator-framework:main
Description
Reviewer Checklist