Skip to content

openssl: delete cgo-less experiment and promote to default #2106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gdams merged 5 commits into from
Feb 10, 2026
Merged

openssl: delete cgo-less experiment and promote to default #2106

gdams merged 5 commits into from
Feb 10, 2026
+84 −152

Conversation

@gdams
Copy link
Member

@gdams gdams commented Feb 4, 2026
edited
Loading

This is for go 1.27 and onwards

@gdams gdams force-pushed the dev/gadams/cgoless branch from 1afd358 to 0663034 Compare February 4, 2026 13:38
qmuntal
qmuntal requested changes Feb 4, 2026
View reviewed changes
@gdams gdams force-pushed the dev/gadams/cgoless branch from 0663034 to 4207a50 Compare February 4, 2026 13:42
@gdams gdams marked this pull request as ready for review February 4, 2026 13:44
@gdams gdams requested a review from a team as a code owner February 4, 2026 13:44
@github-actions github-actions bot mentioned this pull request Feb 4, 2026
Open
qmuntal
qmuntal requested changes Feb 4, 2026
View reviewed changes
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Patch Consistency Review - Issues Found

I've reviewed PR #2106 for patch consistency and found 3 consistency issues that need to be addressed:

Summary of Changes

The PR is removing the ms_nocgo_opensslcrypto experiment and making CGO-less OpenSSL the default behavior on Linux for supported architectures. The patches 0002 and 0003 have been correctly updated to remove this experiment.

Issues Found

  1. Patch 0001 (Vendor dependencies): Line 723 still references ms_nocgo_opensslcrypto in the telemetry configuration string. This needs to be removed to maintain consistency.

  2. Migration Guide Documentation (lines 143 & 153): The documentation still mentions the experimental flag and suggests users enable it explicitly, which contradicts the PR's goal of making it the default behavior.

Impact

These inconsistencies could lead to:

  • Incorrect telemetry data being collected for a non-existent experiment
  • User confusion from outdated documentation that references a removed feature
  • Mixed messaging about whether users need to explicitly enable CGO-less support

Recommendation

Please update:

  1. The telemetry configuration in patch 0001 to remove the ms_nocgo_opensslcrypto reference
  2. The MigrationGuide.md to reflect that CGO-less OpenSSL is now the default on supported architectures and no longer requires explicit enablement

I've added specific inline comments on each location that needs attention. The core patch changes (0002 and 0003) look good and are internally consistent with each other.

AI generated by Patch Consistency Review Agent

@gdams gdams requested a review from qmuntal February 4, 2026 16:40
@gdams
Copy link
Member Author

gdams commented Feb 4, 2026

The telemetry configuration in patch 0001 to remove the ms_nocgo_opensslcrypto reference

This is part of the go-infra package so we can't remove this here. I also don't think it makes sense to remove it from go-infra for now as we need it for Go 1.26.

The MigrationGuide.md to reflect that CGO-less OpenSSL is now the default on supported architectures and no longer requires explicit enablement

I've tried to get the balance right in the migration guide, considering that most users will be running Go 1.26 so mentioning the experiment still makes sense.

dagood
dagood requested changes Feb 4, 2026
View reviewed changes
@dagood
Copy link
Member

dagood commented Feb 4, 2026

The telemetry configuration in patch 0001 to remove the ms_nocgo_opensslcrypto reference

This is part of the go-infra package so we can't remove this here. I also don't think it makes sense to remove it from go-infra for now as we need it for Go 1.26.

I think the agent needs to be taught that it shouldn't pay attention to vendored Go code in general.

@dagood dagood changed the title openssl: delete CGO-less experiment and promote to default openssl: delete cgo-less experiment and promote to default Feb 4, 2026
@qmuntal
Copy link
Member

qmuntal commented Feb 5, 2026

I think the agent needs to be taught that it shouldn't pay attention to vendored Go code in general.

The comment from the agent was useful to me, it surfaced the need to update the telemetry configuration at some point in the future. The recommendation is wrong, that's true, we don't want to do it now.

@github-actions
Copy link

github-actions bot commented Feb 5, 2026

Patch Consistency Review Summary

I've reviewed the patch file changes in this PR, which promotes the cgo-less OpenSSL implementation from an experimental feature (ms_nocgo_opensslcrypto) to the default behavior on Linux.

Changes Overview

The PR makes consistent changes across:

  • Patch 0002: Removes the ms_nocgo_opensslcrypto experiment definition files
  • Patch 0003: Simplifies build tags from goexperiment.opensslcrypto && (cgo || goexperiment.ms_nocgo_opensslcrypto) to just goexperiment.opensslcrypto
  • Documentation & Pipeline Config: Updates to reflect the new default behavior

Issue Found

There is one inconsistency that needs to be addressed:

Patch 0001 (Vendor patch) still contains a reference to ms_nocgo_opensslcrypto in the telemetry counter configuration. I've left an inline comment on the specific line that needs updating.

Recommendation

Please update the telemetry configuration in patch 0001 to remove the ms_nocgo_opensslcrypto reference to maintain consistency across all patches.

AI generated by Patch Consistency Review Agent

@gdams gdams requested a review from dagood February 5, 2026 14:35
dagood
dagood requested changes Feb 5, 2026
View reviewed changes
@gdams gdams requested a review from dagood February 9, 2026 13:12
@github-actions

This comment was marked as resolved.

Sign in to view
github-actions[bot]
github-actions bot reviewed Feb 9, 2026
View reviewed changes
patches/0003-Implement-crypto-internal-backend.patch
+++ b/src/crypto/internal/backend/openssl_linux.go
@@ -0,0 +1,424 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style

This comment was marked as off-topic.

Sign in to view

@gdams gdams force-pushed the dev/gadams/cgoless branch from 6e135a1 to 1f6a850 Compare February 9, 2026 13:19
@gdams gdams enabled auto-merge (squash) February 9, 2026 17:17
@github-actions
Copy link

github-actions bot commented Feb 9, 2026

Patch Consistency Review - Incomplete Cleanup

I've reviewed the patch changes in this PR and found inconsistencies that need to be addressed:

🔴 Issues Found

1. Outdated error message in MigrationGuide.md (Line 143)

The error message example still references the experiment being removed:

Consider using our cgo-less experiment by setting GOEXPERIMENT=ms_nocgo_opensslcrypto.
``````

This should be updated to reflect the new behavior in Go 1.27 where cgo-less OpenSSL is available by default on supported architectures.

#### 2. **Vendor patch still lists the experiment** (patches/0001-Vendor-external-dependencies.patch)

The vendor patch contains a reference to `ms_nocgo_opensslcrypto` in what appears to be a list of supported experiments:

``````
"Name": "go/goexperiment:{ms_tls_config_schannel,systemcrypto,nosystemcrypto,opensslcrypto,cngcrypto,darwincrypto,ms_nocgo_opensslcrypto}"

This should be removed to maintain consistency with the experiment deletion.

✅ What Was Done Well

  • The patch file changes (0002 and 0003) correctly remove the experiment flag infrastructure
  • Build tags have been properly simplified from goexperiment.opensslcrypto && (cgo || goexperiment.ms_nocgo_opensslcrypto) to just goexperiment.opensslcrypto
  • Test configurations in the pipeline have been updated appropriately
  • The new NocgoOpenSSL.md documentation is helpful and clearly explains the transition

📝 Recommended Actions

  1. Update the error message in eng/doc/MigrationGuide.md line 143 to remove the outdated suggestion
  2. Update the vendor patch to remove ms_nocgo_opensslcrypto from the experiment list
  3. Consider whether the error message itself needs to be updated since cgo-less is now the default (the error only triggers on unsupported architectures)

AI generated by Patch Consistency Review Agent

@dagood dagood mentioned this pull request Feb 9, 2026
Open
dagood
dagood approved these changes Feb 10, 2026
View reviewed changes
Copy link
Member

@dagood dagood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestions, some maybe for followup, otherwise LGTM.

eng/doc/MigrationGuide.md
> This allows the use of OpenSSL without requiring cgo.
> Currently this experiment is supported on the following architectures: `386`, `amd64`, `arm`, `arm64`, `ppc64le` and `riscv64`.
> In Go 1.26, there is a cgo-less experiment available for Linux: `ms_nocgo_opensslcrypto`.
> In Go 1.27, the experiment will be removed and the cgo requirement for `systemcrypto` on Linux will be lifted by default.
Copy link
Member

@dagood dagood Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are still on the same line (rendered):

Suggested change
> In Go 1.27, the experiment will be removed and the cgo requirement for `systemcrypto` on Linux will be lifted by default.
>
> In Go 1.27, the experiment will be removed and the cgo requirement for `systemcrypto` on Linux will be lifted by default.

Or, should we even mention it here rather than in the other doc? 1.27 doesn't affect anyone yet, so it might not make sense for a migration doc.

Suggested change
> In Go 1.27, the experiment will be removed and the cgo requirement for `systemcrypto` on Linux will be lifted by default.

@gdams gdams merged commit 74c181a into microsoft/main Feb 10, 2026
49 checks passed
@gdams gdams deleted the dev/gadams/cgoless branch February 10, 2026 00:00
@dagood
Copy link
Member

dagood commented Feb 10, 2026

Oh, automerge. I guess it's followup then. 😄

@gdams gdams mentioned this pull request Feb 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@qmuntal qmuntal qmuntal approved these changes

@dagood dagood dagood approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gdams @dagood @qmuntal