http codecs: considering forking #10988
Comments
mattklein123
added
area/security
area/community
no stalebot
|
cc @danzh2010 we also need to have a good procedure for Quiche/HTTP3 to make sure all relevant feature flags are exposed and documented as Envoy feature flags once HTTP3 is considered production ready. |
|
Thankfully QUICHE should have functional changes flag guarded per internal policy. I think for QUICHE it boils down to integrating the quic flags into Envoy runtime (which we've got on our list) as well as making sure any which guard "behavioral changes" (whatever we come up with in #10983) stick around for 3-6 months where now I think they may only last for 1-2. |
|
http parser should be pretty easy - if nothing else they've been averaging 1-2 commits a year so the overhead will be minimal. I think http/2 may end up more onerous as it's a faster moving code base and not much easier to read. I wonder if we want to start out with something a bit lighter, and have build options where one can easily pull the old or the new dependency so folks could try things out. For example with the identity breakage, I wonder if for http_parser we could just add support for what Lyft needed upstream, and support the old version until the newest was backwards compatible? |
One thing to keep in mind about nghttp2 is we only care about |
Yes we can try this. We probably would need to do this anyway for the http_parser -> llhttp transition. |
|
I assume we can runtime guard creation of H1 codec based on http_parser or llhttp. I assume we should expect some behavior changes as the parser is replaced. |
s/can/must. :) |
Of course. I just hadn't considered supporting both parsers for some time, seems necessary when making such a big change. |
|
How would we manage our own changes to forked versions? Patch stack? Direct changes? |
The easiest way would be to fork the repos into the envoyproxy org and repoint the Envoy build to those repos. Then we can have a process for reviewing all commits that go in with our own maintainers. We can decide to fast forward to upstream, possibly modify with temporary feature flags, etc. |
|
So assuming forked nghttp2, would the process of pulling in new change look something like this?
Or do we want to have two PRs PR-1 with SoT change and PR-2 on top of it with flag changes (which may undo large portions of PR-1)? I have not seen llhttp code, but it may be more complicated since it is generated from javascript. The diff may be less obvious if there are also changes to the code generator and more difficult to flag protect. Unless of course we will do it in javascript. |
|
@yanavlasov I think what you propose would work. There are probably a number of ways we could do this. Honestly I think we should probably first decide if we want to fork, and then if so we can try it and see how it goes in terms of the workflows. We will probably need to iterate. |
|
Envoy forking libraries like nghttp2 may cause some headaches for those of us that choose to compile multiple pieces of software against a single canonical version of each third-party library. |
|
I think we'd need to make sure forked nghttp2 was 100% compatible with
regular nghttp2, just one would be affected by runtime flags and the other
not.
…On Wed, May 20, 2020 at 2:25 PM antonio ***@***.***> wrote:
Envoy forking libraries like nghttp2 may cause some headaches for those of
us that choose to compile multiple pieces of software against a single
canonical version of each third-party library.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#10988 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AELALPNMZRS5LXUGDN3F65TRSQOBZANCNFSM4MTH4ZPA>
.
|
Monorepo driven development. ;) But yes, understood this may be an issue which we will need to discuss. One option would be to manually vendor both libraries within Envoy and cut the dependency, and then bring in patches manually. This is potentially more painful but would fix the monorepo issue potentially. |
|
What's the motivation for wanting to audit/control the codec commits? Concern about introduction of security vulnerabilities upstream, concern about changes in user-facing behavior, both, something else? If security vulnerabilities, I'd be equally (if not more) concerned about losing security patches if we fork. This isn't that different from delaying bumping a dependency, I suppose, but the toil involved in merging a patch is probably higher than updating the repositories file. Keeping a fork compatible with the canonical repo is probably hard without an automated test that ensures the libraries behave the same way. |
Primarily concerns about changes to user-facing behavior that we might need to feature flag. In an optimal world we would have maintainers also be maintainers of the codecs, and perhaps we should try that first. I mostly opened this issue from various discussions with @alyssawilk to discuss our options. |
|
I think if we take protection of changes with feature flags as a requirement, then forking codecs is the right way to go. I think however that adding flag protection into codec's code would not be trivial as a result codec version upgrades would be costly. I have not seen llhtp generated source code, it may be even more of a challenge given is it generated. But I guess there is only one way to find out. |
|
I think we have a plan forward here with a Google provided h2 codec in QUICHE. |
This is a tracking issue to discuss whether we want to fork llhttp (once #5155 is complete) and nghttp2 into the Envoy project. The goal of the fork would be to:
As a community we should discuss how to proceed forward with balancing forking against making sure we have the control that we need. cc @envoyproxy/security-team @alyssawilk
The text was updated successfully, but these errors were encountered: