Description
openedon May 23, 2023
Right now, we have -fips tags, but they're limited to building on Linux targeting Linux.
We know that some people do build on Linux targeting Windows. It would help if we provide a tag to do that, rather than forcing them to manually configure GOEXPERIMENT in this particular case.
We also have no FIPS-preconfigured Windows builders, whether targeting Windows or Linux. I don't think we've identified any teams that build this way, but it seems reasonable to fill out the build matrix to have something ready for anyone who does.
We need a new naming scheme for this. I think dropping simple -fips- and mentioning the backend is needed. Simplest is to use the goexperiment string, like:
| Tag | Build platform | Target platform |
|---|---|---|
.../microsoft/golang:1.21-opensslcrypto-bullseye |
Linux | Linux |
.../microsoft/golang:1.21-cngcrypto-bullseye |
Linux | Windows |
.../microsoft/golang:1.21-opensslcrypto-windowsservercore-ltsc2022 |
Windows | Linux |
.../microsoft/golang:1.21-cngcrypto-windowsservercore-ltsc2022 |
Windows | Windows |
Something to perhaps point out more directly in our readme is that we don't produce runtime images. These (and the non-FIPS images for that matter) are all meant to be used for builds, not deployment.
- Related: Consider renaming go-images "1.x-fips" tags to "1.x-fips-builder" or another clearer name #695
- We could also consider adding e.g.
golang:1.21-opensslcrypto-compelfips-bullseyetying in with Add compile-time flag that enables FIPS mode and ignores GOFIPS=0 at runtime #928