Skip to content

Upgrade to newer aws-nitro-enclaves-cli #505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
r-n-o merged 1 commit into from
Apr 14, 2025
Merged

Upgrade to newer aws-nitro-enclaves-cli #505

r-n-o merged 1 commit into from
Apr 14, 2025

Conversation

@cr-tk
Copy link
Collaborator

@cr-tk cr-tk commented Feb 28, 2025

Summary & Motivation (Problem vs. Solution)

We rely on several AWS NSM crates. After a long break, AWS released a new version of aws-nitro-enclaves-cli that we should adopt, see here for changelog information.

Along the way

  • update the aws-nitro-enclaves-nsm-api, which is basically just a MSRV update
  • harmonize the libc minimum version, which doesn't change any Cargo.lock entries

These changes move us closer to getting rid of the unmaintained atty crate, which is now removed in most places through a switch to clap 4.x that doesn't depend on it anymore. Unfortunately, one usage site remains with aws-nitro-enclaves-image-format, which still depends on clap 3.x even in a recent version.

The dependency changes bring a lot of review tasks:

review tasks: 40 crates, of which 23 are full and 17 are partial

17 of the completely new crates are aws-* crates, which helps a bit to establish trustworthiness.
At the moment, aws-nitro-enclaves-cli doesn't have Cargo features we can disable, so this dependency load is hard to reduce from my perspective.

How I Tested These Changes

Local unit tests.

This change needs thorough testing in various testing environments.

Pre merge check list

  • Update CHANGELOG.MD

@cr-tk cr-tk force-pushed the christian/aws-nitro-cli-bump1 branch from d3cbce5 to 4017517 Compare February 28, 2025 16:57
@cr-tk
Copy link
Collaborator Author

cr-tk commented Feb 28, 2025
edited
Loading

Rebased on top of the now-merged #504 to fix build problems. Ready for review - still working on the build problems.

@cr-tk cr-tk marked this pull request as ready for review February 28, 2025 16:58
@cr-tk cr-tk requested a review from a team as a code owner February 28, 2025 16:58
@cr-tk
Switch to newer aws-nitro-enclaves-cli, aws-nitro-enclaves-nsm-api mi…
eee0eab 
…nor versions

Additional steps:
harmonize the libc minimum version
@cr-tk cr-tk force-pushed the christian/aws-nitro-cli-bump1 branch from 4017517 to eee0eab Compare March 12, 2025 15:30
@cr-tk cr-tk added the enhancement New feature or request label Mar 12, 2025
@cr-tk
Copy link
Collaborator Author

cr-tk commented Mar 14, 2025

CI issues are resolved. I'm working on the dependency security review.

@cr-tk
Copy link
Collaborator Author

cr-tk commented Apr 7, 2025

The dependency security review is complete (see internal documentation) and this PR is ready to merge.

r-n-o
r-n-o reviewed Apr 14, 2025
View reviewed changes
Copy link
Contributor

@r-n-o r-n-o left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of it looks reasonable. My only point of concern is utf8parse. I can't find a trusted source for it.

@r-n-o
Copy link
Contributor

r-n-o commented Apr 14, 2025

The utf8parse mystery is solved, it was removed from https://github.com/alacritty/vte in https://github.com/alacritty/vte/pull/118/files. The exact source for 0.2.2 is available at https://docs.rs/crate/utf8parse/0.2.2/source/Cargo.toml -> all good ✅

@r-n-o r-n-o merged commit f82f60e into main Apr 14, 2025
6 checks passed
@r-n-o r-n-o deleted the christian/aws-nitro-cli-bump1 branch April 14, 2025 20:19
@cr-tk
Copy link
Collaborator Author

cr-tk commented Apr 15, 2025
edited
Loading

@r-n-o as commented inline, some of the new-appearing crate entries in src/qos_enclave/Cargo.lock actually weren't new at all, since they were already in the main src/Cargo.lock before this PR. This is a side effect of workspace/lockfile mechanics, where the qos_enclave crate essentially uses a subset of dependency entries from the workspace.
As far as I can see, this fully explains why some apparently changed crates weren't part of the review list.

It's still useful that you had a look at them, good sanity checking!
Thank you for the additional review 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r-n-o r-n-o r-n-o approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cr-tk @r-n-o