Skip to content

Add the fipsonly package when building with boringcrypto #3246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sgagniere merged 1 commit into from
Jan 6, 2026
Merged

Add the fipsonly package when building with boringcrypto #3246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cmd/confluent/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (

"github.com/confluentinc/cli/v4/internal"
"github.com/confluentinc/cli/v4/pkg/config"
_ "github.com/confluentinc/cli/v4/pkg/fips"
Copy link
Contributor

@tmalikconfluent tmalikconfluent Jan 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any reason we use the "_" here? Could we not simply do "github.com/confluentinc/cli/v4/pkg/fips" like other cases?

Copy link
Member Author

@sgagniere sgagniere Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's because we don't actually call the fips package anywhere in the file, so _ prevent a compile error.

This one is weird in that all you need to do for it to take effect is to include the underlying package anywhere in your code.

Copy link
Contributor

@tmalikconfluent tmalikconfluent Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh i see. Sounds good

pversion "github.com/confluentinc/cli/v4/pkg/version"
)

Expand Down
5 changes: 5 additions & 0 deletions pkg/fips/fips.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
//go:build boringcrypto

package fips

import _ "crypto/tls/fipsonly" // including this package when boringcrypto is enabled forces tls to use fips settings only
3 changes: 3 additions & 0 deletions pkg/fips/no_fips.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
package fips

// This file exists to suppress build errors when not building with boringcrypto
Comment on lines +1 to +3
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing build tag constraint. This file should have //go:build !boringcrypto as the first line to ensure it's only compiled when the boringcrypto build tag is not set, preventing conflicts with fips.go.

Copilot uses AI. Check for mistakes.
Copy link
Member Author

@sgagniere sgagniere Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary since there's no real code in this file anyway, so there are no conflicts when compiling both files.